Are New NIST Privacy Controls Necessary?

NIST LogoIn case you missed the announcement on Tuesday, National Institute of Standards and Technology (NIST) has released a draft of new privacy controls to be included in the next update of Special Publication (SP) 800-53. Currently referred to as SP 800-53 Appendix J, the update provides the first steps to standardizing what privacy means to the federal government. Eric Chabrow wrote up a nice article summarizing the announcement.

via GovInfoSecurity.com

The link between privacy and security is getting codified in the next version of the National Institute of Standards and Technology’s definitive security control guidance.

In preparation of an anticipated year-end revision of Special Publication 800-53, NIST Tuesday posted a draft appendix with the preliminary title, Security and Privacy Controls for Federal Information Systems and Organizations, that will be incorporated into the fourth revision of SP 800-53, Recommended Security Controls for Federal Information Systems and Organizations.

Continued here.

I have mixed feelings about this addition. Yes, I think privacy is important and definitely needs to be focused on more … however is the extra effort worth it? There are already controls within SP 800-53 that covered most of what they are adding. Further, the suggested updates add eight new families and 22 new controls, which is going to significantly add to the expense of the meeting FISMA.

One of our NoVA infosec security twits who knows a lot more about all this NIST stuff than I do, @cyberhiker, posted a series of tweets expressing his views in relation to the Eric’s article.

  • @GovInfoSecurity It would probably help if they more clearly defined what is and is not privacy data. #
  • I don’t know that I need 8 new control families and 23 new controls. #80053AppendixJ #
  • The first question I am going to get about #80053AppendixJ: What baseline does it apply to? A: You need to tailor them into each baseline. #
  • 2nd Q about #80053AppendixJ: These are Mgmt controls, so I can inherit these from the Govt right? A: No. U need to read more closely. #
  • More of a stmt about #80053AppendixJ: “Looks like there is a R4 now, glad we didn’t update our policy to R3” “No. U should’ve updated. Now!” #

Some interesting things to consider there… Just shoot your suggestions over to [email protected] to let them know what you think by September 2nd. In the meantime, why don’t you let us know your thoughts in the comments below?

#####

If you are interested in other work by @cyberhiker, check out his RedSpartan compliance framework project.

3 comments for “Are New NIST Privacy Controls Necessary?

  1. July 21, 2011 at 10:30 am

    #NOVABLOGGER: Are New NIST Privacy Controls Necessary? http://bit.ly/q2DCzF http://j.mp/nispblog

  2. July 21, 2011 at 11:24 am

    BLOGGED: Are New NIST Privacy Controls Necessary? http://bit.ly/q2DCzF

  3. July 21, 2011 at 10:57 pm

    Are New NIST Privacy Controls Necessary?: [nova#infosecportal.com] In case you missed the announcement on Tuesday,… http://winsec.tk/c5mK3

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.