The National Institute of Standards and Technology has announced a new proposal concerning privacy controls in government systems. Information on how to comment about the proposal is at the end of this post.
With increasing dependency on information systems and advances in cloud computing, the smart grid and mobile computing, maintaining the confidentiality and integrity of citizens’ personally identifiable information is a growing challenge. A new draft document from the National Institute of Standards and Technology (NIST) addresses that challenge by adding privacy controls to the catalog of security controls used to protect federal information and information systems.
Personally identifiable information (PII) is information that is unique to an individual, such as a social security number, birth information, fingerprints and other biometrics. In the wrong hands, PII can be used in identity theft, fraud or other criminal activities. […]
The new document, Privacy Control Catalog, will become Appendix J of Security Controls for Federal Information Systems and Organizations (NIST Special Publication 800-53, Revision 4). One of the foundational Federal Information Security Management Act (FISMA) documents, SP 800-53 is being updated to Revision 4 in December, 2011. SP 800-53 is also one of the Joint Task Force Transformation Initiative documents that NIST produces with the Department of Defense and the Intelligence Community. […]
The new privacy appendix:
- Provides a structured set of privacy controls, based on international standards and best practices, that help organizations enforce requirements deriving from federal privacy legislation, policies, regulations, directives, standards and guidance;
- Establishes a linkage and relationship between privacy and security controls for purposes of enforcing respective privacy and security requirements, which may overlap in concept and in implementation within federal information systems and organizations;
- Demonstrates the applicability of the NIST Risk Management Framework in the selection, implementation, assessment and monitoring of privacy controls deployed in federal information systems and organizations; and
- Promotes closer cooperation between privacy and security officials within the federal government to help achieve the objectives of senior leaders/executives in enforcing the requirements in federal privacy legislation, policies, regulations, directives, standards and guidance. […]
The public comment period for this proposal runs through September 2. Comments should be sent to firstname.lastname@example.org. The publication is available at: http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-53-Appendix%20J