“Definitely we’re popping the champagne bottles,” Roanne Shaddox says of National Institute of Standards and Technology’s (NIST) release of V.4 of SP 800-53 last week, “because it’s been a long journey to this point.”

What NIST document could possibly have the senior privacy specialist at the FDIC so enthused? Well, 800-53 is the federal government’s “foundational computer security guide,” but it’s now titled, “Security and Privacy Controls for Federal Information Systems and Organizations.”

That’s no accident, and that’s a large part of what has privacy professionals in the federal government arena so pleased with the document, with which the Office of Management and Budget (OMB) will expect all government agencies and contractors to comply within a year of its issuance.

Already, 800-53 was the guidebook by which IT professionals in the federal government made sure they were complying with best practices established by NIST. Now, in the same kind of language and side-by-side with their security controls, they have Appendix J, which outlines the privacy controls by which everyone working with federal systems needs to comply. Appendix J was put together by the CIO Council Privacy Committee Best Practices Subcommittee, which Shaddox co-chairs with DHS Senior Director, Privacy Oversight, Martha Landesberg, and Claire Barrett, CPO at the Department of Transportation.

“By putting the privacy controls into this document, which has been around for a long time, we really wanted to elevate the privacy area to where security is,” said Ron Ross, project leader of the FISMA Implementation Project at NIST. Even simply putting privacy in the name was a significant milestone.

“Security grabs a lot of the headlines,” Ross said, “but privacy is very, very important, and it’s getting more important all the time. With the increase in mobile devices and cloud computing and all of the digital information technology, we really wanted to make sure that privacy stands shoulder-to-shoulder with security to make sure they’re equally important things that deserve attention.”

Asked whether that change of document headline is really all that important, Barrett replied with “a violent and robust yes.”

“We have to be very thankful for NIST recognizing that they are sister control sets, and there is a strong relationship between the two, but that they are distinct,” Barrett said. “So calling that out in the title helps to further the unique conversation that needs to happen around privacy…I think, initially, people looked at it as, ‘Once the data is secure, then the privacy is assured,’ but by calling them out as separate things, with a separate appendix, we’ve identified the relationship between the privacy controls and the security controls—we’ve even cross-referenced security controls back to privacy controls, so that they’re reinforcing—but we’ve stated that they’re standalone. And they need to be considered from a broader FIPPs perspective rather than just confidentiality, and that’s really significant.”

It certainly resonates with Chris Brannigan, CIPP/US, CIPP/G, senior privacy analyst at the FAA. “That whole idea that you can’t have security without privacy, that interaction has been building for a decade. Putting the word in the title makes it official…It recognizes that federal privacy professionals have some comparable standing to the certified IT security professionals, and even more important, that they have specialized knowledge, that they are subject matter experts that the IT security experts need."

“IT security guys can say, ‘Only let authorized users in,’ but privacy professionals are the ones who say, ‘Don’t let authorized users take a celebrity’s record and show it to their friends.’”

Further, Brannigan feels the tone and language of the appendix are more important than you might think. “What these FISMA controls do is give the IT security group that’s responsible some real language and rules that are written in their vocabulary,” he said. “Everything that was written for the privacy policy in the past was written for attorneys. Now everything that was written for attorneys has been translated for IT.”

There’s a general recognition that these two groups need to come together more for the betterment of their organizations, and these new controls might be a practical way to bring them closer, said Ross. “Because of how we’re organized, the security office and the privacy office are largely separate,” he said. “They have different legislative mandates. There are OMB policies on both sides, but they’re largely stove-piped…There are a lot of things you can do to fix that, and this was our contribution so that the organizations can benefit and get on with their missions.”

“It’s about bringing transparency to what it’s like to do privacy,” said the FDIC’s Shaddox. “If you’re a privacy professional, you get it, but our discipline intersects with a lot of other disciplines, and we’re trying to bring visibility to our security counterparts about what it means to manage privacy and make sure these issues are at the table and are considered as part of the overall risk profile. Hopefully this brings clarity and demystifies what it means to manage privacy.”

With all that said, is this something that’s going to raise hackles on the security side?

“The response has been outstanding,” Ross said. “The privacy folks were ecstatic; the security folks were a little surprised. They look up and there’s the privacy controls sitting side-by-side with their security controls, and that was a little daunting. But they’re getting used to it. At the end of the day, it’s the organization that matters.”

Even if you’re not working in the federal arena, don’t be surprised if this document affects the way you work in coming years.

“Many, many private-sector organizations use NIST guidelines on a voluntary basis,” Ross noted. “And we encourage that. As taxpayers, they’ve paid to develop these things.”

So, what should privacy heads at government agencies do now?

What’s the first order of business in complying with the new 800-53? Will there be a scramble?

“There is nothing new, from a privacy-compliance perspective, in Appendix J,” said DHS’ Landesberg, “but the extent to which agencies will have to do scrambling will really depend on the sophistication of their privacy program and the resources that they already have. There are some programs that are following the law, but maybe don’t have the extensive abilities for planning and training that some of the more mature programs have. There are no new legal requirements, but these are best practices that go beyond the baseline. But I don’t think any of these guidelines will come out of the blue.”

“There’s nothing particularly new,” DOT’s Barrett agreed, “but I think the appendix tweaks requirements from various pieces of legislation and OMB guidance and puts them together in a single place, and by doing so and integrating with the cyber-security controls, allows us to be more effectively involved in the system development lifecycle. That’s our organization’s biggest takeaway. Most organizations are doing most, if not all, of these elements already. But this builds a baseline against which we can all measure.”

Requirements in the past have been dispersed throughout a number of different formats, Barrett noted, whether the Privacy Act or e-Gov Strategies or guidance from the OMB, and “it has been difficult at times to draw the connective path between all the requirements and therefore build a comprehensive story. This allows us to build a better risk-management profile and then have a more in-depth conversation to make sure we’re properly resourced.”

Essentially, this is a great time to do a gap analysis, said NIST’s Ross. “That’s exactly what I would do,” he said. “Go look at what’s in Appendix J and then do a gap analysis to see if they’re missing anything or if they need to change anything that they’re already doing. And then they’ll look at those things routinely after that.”

He doesn’t feel that most organizations will have to buy any new software or invest in much technology to meet the Appendix J controls. “I think a lot of the technology-related controls are on the security side,” he said, “and the privacy controls will take advantage of that.”

In fact, said Shaddox, “the initial step is more outreach and training at the federal agencies to help them implement Appendix J.”

Following close after will be a way to measure compliance—because the Privacy Subcommittee isn’t done with its work yet. “The training goes on immediately,” said Ross, “and then on a parallel track we’ll work with the Privacy Subcommittee to develop the assessment procedures and that will get integrated into 800-53 Alpha,” the sister document that offers a standardized way to measure the effectiveness of security, and now privacy, controls.

We’ll just have to wait to see what beverage privacy pros use to celebrate that document’s release.

Written By

Sam Pfeifle


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»