Privacy

Are NIST's privacy controls out of date?

Shutterstock image. 

 

A chief privacy officer must ensure that whatever personal data an agency gathers is the right information for the job, that it is collected legally and that it is stored safely. Appendix J of the National Institute of Standards and Technology’s Special Publication 800-53 spells out the privacy controls federal agencies must implement.

Appendix J was first included in the fourth, and most recent, version of SP 800-53, the guidance covering security and privacy controls for federal information systems and organizations. At a Sept. 8 NIST workshop, privacy experts gathered to discuss what changes should be made to the privacy controls in the next version of publication.

Workshop attendees said Appendix J’s inclusion in that 2014 guidance has helped with the credibility of their field; it placed them on equal footing with their cybersecurity peers because both sets of standards were side-by-side in the same document. But no one argued the job is done.

Jamie Danker, the senior privacy officer for National Protection and Programs Directorate at the Department of Homeland Security, summed it up when she said, “I love Appendix J controls, and I also hate them at the same time.”

After nearly two years of real-world application, it has become clear there are blind spots. Danker said it would be helpful to have information on how to better identify a privacy risk. Sean Brooks, a privacy engineer at NIST, said there is not enough information for identifying and solving problems that don’t involve a malicious actor.

One member of a breakout session (which was not for attribution) said that chief privacy officers in companies are at the level now that CIOs were at around the turn of the century -- putting them 15 years behind in the organization.

The growing importance of privacy could help with this, according to Marc Groman, the senior advisor for privacy at the Office of Management and Budget. Getting people to realize privacy will help, not hamper, innovation could improve privacy’s image and lead to focus in the area, he said.

Another session member said that SP 800-53 should be written in a way that doesn’t just tack privacy on at the end. Privacy and security should be integrated throughout the document because privacy experts rely heavily on security experts and vice versa. There needs to be more communication between them, attendees said.

Other concerns included the inability the lack of metrics for implementation of Appendix J and the lack of an assessment process for it.

The agenda for the workshop said the goal was to identity “whether changes should be made in the publication’s fifth revision.” The clear consensus from the day was yes, but what those changes should be was far from decided.

This article was originally posted to GCN, a sister site to FCW.


About the Author

Matt Leonard is a former reporter for GCN.

Featured

  • People
    Federal CIO Suzette Kent

    Federal CIO Kent to exit in July

    During her tenure, Suzette Kent pushed on policies including Trusted Internet Connection, identity management and the creation of the Chief Data Officers Council

  • Defense
    Essye Miller, Director at Defense Information Management, speaks during the Breaking the Gender Barrier panel at the Air Space, Cyber Conference in National Harbor, Md., Sept. 19, 2017. (U.S. Air Force photo/Staff Sgt. Chad Trujillo)

    Essye Miller: The exit interview

    Essye Miller, DOD's outgoing principal deputy CIO, talks about COVID, the state of the tech workforce and the hard conversations DOD has to have to prepare personnel for the future.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.