NIST proposes new privacy controls for federal information systems and organizations

Jul 20, 2011

With increasing dependency on information systems and advances in cloud computing, the smart grid and mobile computing, maintaining the confidentiality and integrity of citizens' personally identifiable information is a growing challenge. A new draft document from the National Institute of Standards and Technology (NIST) addresses that challenge by adding privacy controls to the catalog of security controls used to protect federal information and information systems.

Personally identifiable (PII) is information that is unique to an individual, such as a social security number, birth information, fingerprints and other biometrics. In the wrong hands, PII can be used in identity theft, fraud or other criminal activities. Today, more than ever, citizens are concerned that their personal information is protected as it is processed, stored and transmitted across computing clouds or mobile devices in the federal government and in other areas such as health care and banking. Protecting PII is a key goal of the federal government.

"Strong normalized privacy controls are an essential component in the ongoing effort to build measurable privacy compliance," said NIST Senior Internet Policy Advisor Ari Schwartz. "Certainty in controls and measures can help promote privacy, trust and greater confidence in new standards."

The new document, Privacy Control Catalog, will become Appendix J of Security Controls for Federal and Organizations (NIST Special Publication 800-53, Revision 4). One of the foundational Federal Information Security Management Act (FISMA) documents, SP 800-53 is being updated to Revision 4 in December, 2011. SP 800-53 is also one of the Joint Task Force Transformation Initiative documents that NIST produces with the Department of Defense and the Intelligence Community.

"Privacy and security controls in federal information systems are complementary and mutually reinforcing in trying to achieve the privacy and security objectives of organizations," said NIST Fellow Ron Ross, project leader of the FISMA Implementation Project and Joint Task Force.

Incorporating privacy controls into SP 800-53 and taking advantage of established security controls to provide a solid foundation for information security helps to ensure that privacy requirements will be satisfied in a comprehensive, cost-effective, and risk-based manner.

The new privacy appendix:

  • Provides a structured set of privacy controls, based on international standards and best practices, that help organizations enforce requirements deriving from federal privacy legislation, policies, regulations, directives, standards and guidance;
  • Establishes a linkage and relationship between privacy and security controls for purposes of enforcing respective privacy and security requirements, which may overlap in concept and in implementation within federal information systems and organizations;
  • Demonstrates the applicability of the NIST Risk Management Framework in the selection, implementation, assessment and monitoring of privacy controls deployed in and organizations; and
  • Promotes closer cooperation between privacy and security officials within the federal government to help achieve the objectives of senior leaders/executives in enforcing the requirements in federal privacy legislation, policies, regulations, directives, standards and guidance.
In addition to the basic privacy controls in Appendix J, NIST plans to develop assessment procedures to allow organizations to evaluate the effectiveness of the controls on an ongoing basis. Standardized and assessment procedures will provide a more disciplined and structured approach for satisfying federal requirements and demonstrating compliance to those requirements, Ross said.

Explore further: Turkey still hopes Twitter will open local office

More information: Due to the special nature of the material in Appendix J, it is being vetted separately from other changes to the main document. The publication may be found at csrc.nist.gov/publications/PubsDrafts.html#SP-800-53-Appendix%20J

add to favorites email to friend print save as pdf

Related Stories

NIST Advises on RFID Security Risks

May 01, 2007

The National Institute of Standards and Technology describes some potential dangers of implementing RFID and offers guidelines and best practices for mitigating the risks.

Recommended for you

Net neutrality balancing act

12 hours ago

Researchers in Italy, writing in the International Journal of Technology, Policy and Management have demonstrated that net neutrality benefits content creator and consumers without compromising provider innovation nor pr ...

Twitter rules out Turkey office amid tax row

Apr 16, 2014

Social networking company Twitter on Wednesday rejected demands from the Turkish government to open an office there, following accusations of tax evasion and a two-week ban on the service.

How does false information spread online?

Apr 16, 2014

Last summer the World Economic Forum (WEF) invited its 1,500 council members to identify top trends facing the world, including what should be done about them. The WEF consists of 80 councils covering a wide range of issues including social media. Members come ...

User comments : 0

More news stories

Hackathon team's GoogolPlex gives Siri extra powers

(Phys.org) —Four freshmen at the University of Pennsylvania have taken Apple's personal assistant Siri to behave as a graduate-level executive assistant which, when asked, is capable of adjusting the temperature ...

Better thermal-imaging lens from waste sulfur

Sulfur left over from refining fossil fuels can be transformed into cheap, lightweight, plastic lenses for infrared devices, including night-vision goggles, a University of Arizona-led international team ...

Deadly human pathogen Cryptococcus fully sequenced

Within each strand of DNA lies the blueprint for building an organism, along with the keys to its evolution and survival. These genetic instructions can give valuable insight into why pathogens like Cryptococcus ne ...