NIST to add privacy controls for federal information systems

The privacy controls would be added as an appendix to the Security Controls for Federal Information Systems and Organizations, which is a key Federal Information Security and Management Act document, NIST explained in a release.

The privacy appendix would provide a structured set of privacy controls to help organizations enforce requirements of federal privacy legislation, policies, regulations, directives, standards, and guidance.

It would also establish a link between privacy and security controls for enforcing privacy and security requirements, which may overlap in concept and in implementation within federal information systems and organizations.

The appendix would demonstrate the applicability of the NIST Risk Management Framework in the selection, implementation, assessment and monitoring of privacy controls on federal information systems and organizations.

It would promote closer cooperation between privacy and security officials within the federal government to help achieve the objectives of senior executives in enforcing the requirements in federal privacy legislation, policies, regulations, directives, standards and guidance.

"Privacy and security controls in federal information systems are complementary and mutually reinforcing in trying to achieve the privacy and security objectives of organizations", said Ron Ross, project leader of the FISMA Implementation Project and Joint Task Force.

In addition to the basic privacy controls in Appendix J, NIST plans to develop assessment procedures to allow organizations to evaluate the effectiveness of the controls on an ongoing basis. Standardized privacy controls and assessment procedures will provide a more disciplined and structured approach for satisfying federal privacy requirements and demonstrating compliance with those requirements, Ross said.

The public comment period for the draft privacy appendix runs through Sept. 2, 2011. Comments should be sent to sec-cert@nist.gov.
 

What’s Hot on Infosecurity Magazine?