Are NIST's privacy controls out of date?

A chief privacy officer must ensure that whatever personal data an agency gathers is the right information for the job, that it is collected legally and that it is stored safely. Appendix J of the National Institute of Standards and Technology’s Special Publication 800-53 spells out the privacy controls federal agencies must implement.

Appendix J was first included in the fourth, and most recent, version of SP 800-53, the guidance covering security and privacy controls for federal information systems and organizations. At a Sept. 8 NIST workshop, privacy experts gathered to discuss what changes should be made to the privacy controls in the next version of publication.

Workshop attendees said Appendix J’s inclusion in that 2014 guidance has helped with the credibility of their field; it placed them on equal footing with their cybersecurity peers because both sets of standards were side-by-side in the same document. But no one argued the job is done.

Jamie Danker, the senior privacy officer for National Protection and Programs Directorate at the Department of Homeland Security, summed it up when she said, “I love Appendix J controls, and I also hate them at the same time.”

After nearly two years of real-world application, it has become clear there are blind spots. Danker said it would be helpful to have information on how to better identify a privacy risk. Sean Brooks, a privacy engineer at NIST, said there is not enough information for identifying and solving problems that don’t involve a malicious actor.

One member of a breakout session (which was not for attribution) said that chief privacy officers in companies are at the level now that CIOs were at around the turn of the century -- putting them 15 years behind in the organization.

The growing importance of privacy could help with this, according to Marc Groman, the senior advisor for privacy at the Office of Management and Budget. Getting people to realize privacy will help, not hamper, innovation could improve privacy’s image and lead to focus in the area, he said.

Another session member said that SP 800-53 should be written in a way that doesn’t just tack privacy on at the end. Privacy and security should be integrated throughout the document because privacy experts rely heavily on security experts and vice versa. There needs to be more communication between them, attendees said.

Other concerns included the inability the lack of metrics for implementation of Appendix J and the lack of an assessment process for it.

The agenda for the workshop said the goal was to identity “whether changes should be made in the publication’s fifth revision.” The clear consensus from the day was yes, but what those changes should be was far from decided.

This article was originally posted to GCN, a sister site to FCW.