New NIST Guidance to Feature Privacy Controls

Next Version of SP 800-53 to Include Privacy Component
New NIST Guidance to Feature Privacy Controls
The link between privacy and security is getting codified in the next version of the National Institute of Standards and Technology's definitive security control guidance.

In preparation of an anticipated year-end revision of Special Publication 800-53, NIST Tuesday posted a draft appendix with the preliminary title, Security and Privacy Controls for Federal Information Systems and Organizations, that will be incorporated into the fourth revision of SP 800-53, Recommended Security Controls for Federal Information Systems and Organizations.

NIST Senior Computer Scientist Ron Ross, the primary author of the draft, characterizes privacy, with respect to personally identifiable information, as a core value that can be achieved only with appropriate legislation, policies and associated controls to ensure compliance with requirements. "Privacy and security controls ... are complementary and mutually reinforcing in trying to achieve the privacy and security objectives of organizations," Ross writes in the preface of the draft appendix.

* * *
Listen to our interview with Ross on the new privacy controls.
* * *

The privacy additions to the guidance would:

  • Provide a structured set of privacy controls, based on international standards and best practices, that help organizations enforce requirements.
  • Establish a linkage and relationship between privacy and security controls to enforce respective privacy and security requirements that may overlap in concept and in implementation.
  • Demonstrate the applicability of the NIST Risk Management Framework in the selection, implementation, assessment and monitoring of privacy controls.
  • Promote closer cooperation between privacy and security officials to help achieve the objectives of top leaders in enforcing requirements.

Though the recommendations are aimed at federal agencies, NIST understands and encourages other organizations to adopt its privacy and security guidance.

NIST is accepting public comment on the privacy addendum, known as SP 800-53 Appendix J, at through Sept. 2.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.