“Definitely we’re popping the champagne bottles,” Roanne Shaddox says of National Institute of Standards and Technology’s (NIST) release of V.4 of SP 800-53 last week, “because it’s been a long journey to this point.”
What NIST document could possibly have the senior privacy specialist at the FDIC so enthused? Well, 800-53 is the federal government’s “foundational computer security guide,” but it’s now titled, “Security
and Privacy
Controls for Federal Information Systems and Organizations.”
That’s no accident, and that’s a large part of what has privacy professionals in the federal government arena so pleased with the document, with which the Office of Management and Budget (OMB) will expect all government agencies and contractors to comply within a year of its issuance.
Already, 800-53 was the guidebook by which IT professionals in the federal government made sure they were complying with best practices established by NIST. Now, in the same kind of language and side-by-side with their security controls, they have Appendix J, which outlines the privacy controls by which everyone working with federal systems needs to comply. Appendix J was put together by the CIO Council Privacy Committee Best Practices Subcommittee, which Shaddox co-chairs with DHS Senior Director, Privacy Oversight, Martha Landesberg, and Claire Barrett, CPO at the Department of Transportation.
“By putting the privacy controls into this document, which has been around for a long time, we really wanted to elevate the privacy area to where security is,” said Ron Ross, project leader of the FISMA Implementation Project at NIST. Even simply putting privacy in the name was a significant milestone.
“Security grabs a lot of the headlines,” Ross said, “but privacy is very, very important, and it’s getting more important all the time. With the increase in mobile devices and cloud computing and all of the digital information technology, we really wanted to make sure that privacy stands shoulder-to-shoulder with security to make sure they’re equally important things that deserve attention.”
Asked whether that change of document headline is really all that important, Barrett replied with “a violent and robust yes.”
“We have to be very thankful for NIST recognizing that they are sister control sets, and there is a strong relationship between the two, but that they are distinct,” Barrett said. “So calling that out in the title helps to further the unique conversation that needs to happen around privacy…I think, initially, people looked at it as, ‘Once the data is secure, then the privacy is assured,’ but by calling them out as separate things, with a separate appendix, we’ve identified the relationship between the privacy controls and the security controls—we’ve even cross-referenced security controls back to privacy controls, so that they’re reinforcing—but we’ve stated that they’re standalone. And they need to be considered from a broader FIPPs perspective rather than just confidentiality, and that’s really significant.”
It certainly resonates with Chris Brannigan, CIPP/US, CIPP/G, senior privacy analyst at the FAA. “That whole idea that you can’t have security without privacy, that interaction has been building for a decade. Putting the word in the title makes it official…It recognizes that federal privacy professionals have some comparable standing to the certified IT security professionals, and even more important, that they have specialized knowledge, that they are subject matter experts that the IT security experts need."
“IT security guys can say, ‘Only let authorized users in,’ but privacy professionals are the ones who say, ‘Don’t let authorized users take a celebrity’s record and show it to their friends.’”
Further, Brannigan feels the tone and language of the appendix are more important than you might think. “What these FISMA controls do is give the IT security group that’s responsible some real language and rules that are written in their vocabulary,” he said. “Everything that was written for the privacy policy in the past was written for attorneys. Now everything that was written for attorneys has been translated for IT.”
There’s a general recognition that these two groups need to come together more for the betterment of their organizations, and these new controls might be a practical way to bring them closer, said Ross. “Because of how we’re organized, the security office and the privacy office are largely separate,” he said. “They have different legislative mandates. There are OMB policies on both sides, but they’re largely stove-piped…There are a lot of things you can do to fix that, and this was our contribution so that the organizations can benefit and get on with their missions.”
“It’s about bringing transparency to what it’s like to do privacy,” said the FDIC’s Shaddox. “If you’re a privacy professional, you get it, but our discipline intersects with a lot of other disciplines, and we’re trying to bring visibility to our security counterparts about what it means to manage privacy and make sure these issues are at the table and are considered as part of the overall risk profile. Hopefully this brings clarity and demystifies what it means to manage privacy.”
With all that said, is this something that’s going to raise hackles on the security side?
“The response has been outstanding,” Ross said. “The privacy folks were ecstatic; the security folks were a little surprised. They look up and there’s the privacy controls sitting side-by-side with their security controls, and that was a little daunting. But they’re getting used to it. At the end of the day, it’s the organization that matters.”
Even if you’re not working in the federal arena, don’t be surprised if this document affects the way you work in coming years.
“Many, many private-sector organizations use NIST guidelines on a voluntary basis,” Ross noted. “And we encourage that. As taxpayers, they’ve paid to develop these things.”
So, what should privacy heads at government agencies do now?
What’s the first order of business in complying with the new 800-53? Will there be a scramble?
“There is nothing new, from a privacy-compliance perspective, in Appendix J,” said DHS’ Landesberg, “but the extent to which agencies will have to do scrambling will really depend on the sophistication of their privacy program and the resources that they already have. There are some programs that are following the law, but maybe don’t have the extensive abilities for planning and training that some of the more mature programs have. There are no new legal requirements, but these are best practices that go beyond the baseline. But I don’t think any of these guidelines will come out of the blue.”
“There’s nothing particularly new,” DOT’s Barrett agreed, “but I think the appendix tweaks requirements from various pieces of legislation and OMB guidance and puts them together in a single place, and by doing so and integrating with the cyber-security controls, allows us to be more effectively involved in the system development lifecycle. That’s our organization’s biggest takeaway. Most organizations are doing most, if not all, of these elements already. But this builds a baseline against which we can all measure.”
Requirements in the past have been dispersed throughout a number of different formats, Barrett noted, whether the Privacy Act or e-Gov Strategies or guidance from the OMB, and “it has been difficult at times to draw the connective path between all the requirements and therefore build a comprehensive story. This allows us to build a better risk-management profile and then have a more in-depth conversation to make sure we’re properly resourced.”
Essentially, this is a great time to do a gap analysis, said NIST’s Ross. “That’s exactly what I would do,” he said. “Go look at what’s in Appendix J and then do a gap analysis to see if they’re missing anything or if they need to change anything that they’re already doing. And then they’ll look at those things routinely after that.”
He doesn’t feel that most organizations will have to buy any new software or invest in much technology to meet the Appendix J controls. “I think a lot of the technology-related controls are on the security side,” he said, “and the privacy controls will take advantage of that.”
In fact, said Shaddox, “the initial step is more outreach and training at the federal agencies to help them implement Appendix J.”
Following close after will be a way to measure compliance—because the Privacy Subcommittee isn’t done with its work yet. “The training goes on immediately,” said Ross, “and then on a parallel track we’ll work with the Privacy Subcommittee to develop the assessment procedures and that will get integrated into 800-53 Alpha,” the sister document that offers a standardized way to measure the effectiveness of security, and now privacy, controls.
We’ll just have to wait to see what beverage privacy pros use to celebrate that document’s release.