Privacy

Are NIST's privacy controls out of date?

Shutterstock image. 

 

A chief privacy officer must ensure that whatever personal data an agency gathers is the right information for the job, that it is collected legally and that it is stored safely. Appendix J of the National Institute of Standards and Technology’s Special Publication 800-53 spells out the privacy controls federal agencies must implement.

Appendix J was first included in the fourth, and most recent, version of SP 800-53, the guidance covering security and privacy controls for federal information systems and organizations. At a Sept. 8 NIST workshop, privacy experts gathered to discuss what changes should be made to the privacy controls in the next version of publication.

Workshop attendees said Appendix J’s inclusion in that 2014 guidance has helped with the credibility of their field; it placed them on equal footing with their cybersecurity peers because both sets of standards were side-by-side in the same document. But no one argued the job is done.

Jamie Danker, the senior privacy officer for National Protection and Programs Directorate at the Department of Homeland Security, summed it up when she said, “I love Appendix J controls, and I also hate them at the same time.”

After nearly two years of real-world application, it has become clear there are blind spots. Danker said it would be helpful to have information on how to better identify a privacy risk. Sean Brooks, a privacy engineer at NIST, said there is not enough information for identifying and solving problems that don’t involve a malicious actor.

One member of a breakout session (which was not for attribution) said that chief privacy officers in companies are at the level now that CIOs were at around the turn of the century -- putting them 15 years behind in the organization.

The growing importance of privacy could help with this, according to Marc Groman, the senior advisor for privacy at the Office of Management and Budget. Getting people to realize privacy will help, not hamper, innovation could improve privacy’s image and lead to focus in the area, he said.

Another session member said that SP 800-53 should be written in a way that doesn’t just tack privacy on at the end. Privacy and security should be integrated throughout the document because privacy experts rely heavily on security experts and vice versa. There needs to be more communication between them, attendees said.

Other concerns included the inability the lack of metrics for implementation of Appendix J and the lack of an assessment process for it.

The agenda for the workshop said the goal was to identity “whether changes should be made in the publication’s fifth revision.” The clear consensus from the day was yes, but what those changes should be was far from decided.

This article was originally posted to GCN, a sister site to FCW.


About the Author

Matt Leonard is a reporter/producer at GCN.

Before joining GCN, Leonard worked as a local reporter for The Smithfield Times in southeastern Virginia. In his time there he wrote about town council meetings, local crime and what to do if a beaver dam floods your back yard. Over the last few years, he has spent time at The Commonwealth Times, The Denver Post and WTVR-CBS 6. He is a graduate of Virginia Commonwealth University, where he received the faculty award for print and online journalism.

Leonard can be contacted at mleonard@gcn.com or follow him on Twitter @Matt_Lnrd.

Click here for previous articles by Leonard.


Featured

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.