Authored by Jenn Behrens, Partner and Executive Vice President of Privacy and Scott Shorter, Vice President of Security

We attended the NIST Privacy Controls Workshop held at the Department of Transportation on September 8, 2016, which was largely focused on NIST Special Publication 800-53 (Security and Privacy Controls for Federal Information Systems and Organization). NIST SP 800-53 was designed to provide policy guidance for federal agencies to manage security and privacy controls in organizational operations and systems. The majority of the document focused on the security aspects of managing federal systems and programs, with a section of privacy-relevant controls appended at the end (Appendix J). Appendix J, like others, are organized into overarching Control Families for Privacy. The Privacy Control Families are based on the Fair Information Practice Principles (FIPPs), with identified Controls completing the index.

The purpose of the Workshop was to gather key stakeholders in one forum to discuss strategies to updating the Privacy Controls within the upcoming fifth revision of SP 800-53. Both public and private stakeholders contributed to the session, which was kicked off with a panel discussion by government experts in privacy on the strengths and deficiencies of Appendix J. Discussions by both the panel and from the breakout groups (held throughout the day-long workshop) identified several operational gaps in implementing the controls as identified in Appendix J. NIST also shared their development of the privacy-equivalent of the security triad (Confidentiality – Integrity – Availability) with the privacy triad (Predictability – Manageability – Dissociability) as way to organize the goals of a privacy management framework. These concepts were previously introduced in NIST Interagency Report 8062, Privacy Risk Management for Federal Information Systems.

The majority of the workshop participants represented federal departments and agencies. Not surprisingly, federal prioritization of resource allocation for privacy matters within agencies was repeatedly cited as a major road block to effectively administering the controls as cited in Appendix J. The difficulty in construing the controls into operational tactics was processed as well as guidance on implementation strategies for the controls is sparse and open to subjective interpretation. For example, the lack of clear or consistent guidance on the definition of personally identifiable information (PII) makes it difficult for stakeholder to know the entire universe of the data upon which the privacy controls should be applied. Frustration was also expressed in the stakeholder sessions about the focus on compliance activities for privacy management. Feedback on Appendix J included that the current structure promoted privacy controls as compliance activities, and did not offer sufficient space for or tools for embedding privacy into design. Effectively, stakeholders largely felt that the current organization of Appendix J left privacy management in the policy arena versus in the technical stack. This led to frustration around growing expectation of privacy engineering activities within the organizations.

There are many ways and methods to improving the saturation of privacy management throughout not only the policy guidance document but also in organizations. One of the key areas we see for maturation of Appendix J (in whatever format it takes in the new version of 800-53) and in the administration of privacy controls across systems, is to parse out the Accountability, Audit and Risk Management Control Family into separate components:

• Accountability and Audit, and
• Risk Management

This separation will allow for further delineation of risk activities, which will allow for greater shift in focus from compliance to engineering activities. Suggested privacy risk management controls include risk framework, risk identification, likelihood and impact indicators, and risk mitigation strategies. The inclusion of concrete controls in the policy guidance on risk management of privacy implications runs parallel to NIST’s efforts in socializing the NIST 8062 Privacy Risk Management Framework, and accompanying risk assessment tool (Privacy Risk Assessment Methodology). We have found the PRAM to be a useful tool for organizations to not only capture an objective assessment of privacy risk in terms of problematic data actions but also organize a matrix of the likelihood and impact of privacy risk associated with the data journey throughout the system. Expanding the scope of privacy controls in NIST SP 800-53 to index privacy risk management functions will promote privacy engineering activities in addition to compliance-based tasks, and could further the goal of embedding privacy into the operational functions of systems and solutions.

We will be sharing our experiences with this tool and of supporting organizations in risk-based privacy management during a panel discussion at the upcoming Global Identity Summit on September 20th in the Federal Focus: Commerce session – we look forward to seeing you there!