New NIST Guidance to Feature Privacy Controls
Next Version of SP 800-53 to Include Privacy ComponentIn preparation of an anticipated year-end revision of Special Publication 800-53, NIST Tuesday posted a draft appendix with the preliminary title, Security and Privacy Controls for Federal Information Systems and Organizations, that will be incorporated into the fourth revision of SP 800-53, Recommended Security Controls for Federal Information Systems and Organizations.
NIST Senior Computer Scientist Ron Ross, the primary author of the draft, characterizes privacy, with respect to personally identifiable information, as a core value that can be achieved only with appropriate legislation, policies and associated controls to ensure compliance with requirements. "Privacy and security controls ... are complementary and mutually reinforcing in trying to achieve the privacy and security objectives of organizations," Ross writes in the preface of the draft appendix.
* * *
The privacy additions to the guidance would:
- Provide a structured set of privacy controls, based on international standards and best practices, that help organizations enforce requirements.
- Establish a linkage and relationship between privacy and security controls to enforce respective privacy and security requirements that may overlap in concept and in implementation.
- Demonstrate the applicability of the NIST Risk Management Framework in the selection, implementation, assessment and monitoring of privacy controls.
- Promote closer cooperation between privacy and security officials to help achieve the objectives of top leaders in enforcing requirements.
Though the recommendations are aimed at federal agencies, NIST understands and encourages other organizations to adopt its privacy and security guidance.
NIST is accepting public comment on the privacy addendum, known as SP 800-53 Appendix J, at sec-cert@nist.gov through Sept. 2.