Privacy

Are NIST's privacy controls out of date?

Shutterstock image. 

 

A chief privacy officer must ensure that whatever personal data an agency gathers is the right information for the job, that it is collected legally and that it is stored safely. Appendix J of the National Institute of Standards and Technology’s Special Publication 800-53 spells out the privacy controls federal agencies must implement.

Appendix J was first included in the fourth, and most recent, version of SP 800-53, the guidance covering security and privacy controls for federal information systems and organizations. At a Sept. 8 NIST workshop, privacy experts gathered to discuss what changes should be made to the privacy controls in the next version of publication.

Workshop attendees said Appendix J’s inclusion in that 2014 guidance has helped with the credibility of their field; it placed them on equal footing with their cybersecurity peers because both sets of standards were side-by-side in the same document. But no one argued the job is done.

Jamie Danker, the senior privacy officer for National Protection and Programs Directorate at the Department of Homeland Security, summed it up when she said, “I love Appendix J controls, and I also hate them at the same time.”

After nearly two years of real-world application, it has become clear there are blind spots. Danker said it would be helpful to have information on how to better identify a privacy risk. Sean Brooks, a privacy engineer at NIST, said there is not enough information for identifying and solving problems that don’t involve a malicious actor.

One member of a breakout session (which was not for attribution) said that chief privacy officers in companies are at the level now that CIOs were at around the turn of the century -- putting them 15 years behind in the organization.

The growing importance of privacy could help with this, according to Marc Groman, the senior advisor for privacy at the Office of Management and Budget. Getting people to realize privacy will help, not hamper, innovation could improve privacy’s image and lead to focus in the area, he said.

Another session member said that SP 800-53 should be written in a way that doesn’t just tack privacy on at the end. Privacy and security should be integrated throughout the document because privacy experts rely heavily on security experts and vice versa. There needs to be more communication between them, attendees said.

Other concerns included the inability the lack of metrics for implementation of Appendix J and the lack of an assessment process for it.

The agenda for the workshop said the goal was to identity “whether changes should be made in the publication’s fifth revision.” The clear consensus from the day was yes, but what those changes should be was far from decided.

This article was originally posted to GCN, a sister site to FCW.


About the Author

Matt Leonard is a reporter/producer at GCN.

Before joining GCN, Leonard worked as a local reporter for The Smithfield Times in southeastern Virginia. In his time there he wrote about town council meetings, local crime and what to do if a beaver dam floods your back yard. Over the last few years, he has spent time at The Commonwealth Times, The Denver Post and WTVR-CBS 6. He is a graduate of Virginia Commonwealth University, where he received the faculty award for print and online journalism.

Leonard can be contacted at mleonard@gcn.com or follow him on Twitter @Matt_Lnrd.

Click here for previous articles by Leonard.


Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.