With government protection of personal data making so many headlines of late, all eyes are on U.S. federal agencies working hard to put systems in place to ensure personal data is identified and processed safely.
Take the recently published “Privacy Overlays” completed by a "Tiger Team" of federal government privacy and security professionals. More specifically, the Committee on National Security Systems (CNSS) No. 1253F Attachment 6 (scroll down) is now required for all member agencies of the CNSS and could have implications for federal agencies across the board.
A product of three-and-a-half years of work, the Privacy Overlays identify privacy and security specifications to protect personally identifiable information (PII) and personal health information (PHI) in all of the government’s CNSS systems. We’re talking high-level agencies when we’re talking CNSS members: This includes Cabinet-level offices, the Office of Management and Budget (OMB), all the top three-letter intelligence and national security agencies (FBI, NSA, CIA) as well as military offices. The Department of Defense (DoD), too, is requiring the Overlay for all of its information systems as well as in its recent Cloud Computing Security Requirements Guide.
At its most basic explanation, the Overlays identify the controls needed to reduce privacy risks in national security systems throughout the information life cycle.
But what, exactly, are the Overlays?
Let’s put it this way: It’s not simple, but it could be incredibly helpful for privacy and security pros working in public- and private-sector organizations.
At its most basic explanation, the Overlays identify the controls needed to reduce privacy risks in national security systems throughout the information life cycle. Additionally, they help implement privacy requirements from federal statutes and regulation, as well as OMB policy.
“We’ve spent the last three-and-a-half years coming up with 900 individual controls—everything from access controls to awareness-in-training to incident response,” explained Lewis Oleinick, CIPP/G, CIPP/US, CPO, FOIA Officer, Defense Logistics Agency. What’s more, he said, it helps identify which information should be encrypted within a database.
“For example,” Oleinick explained, “there’s one control called access enforcement. That control specifies different types of access to information. In our Overlay, we went through 10 controls to determine what’s required under the Privacy Act, what’s required under HIPAA, and gave an explanation as to why that control should be implemented.”
In addition to mapping controls to federal mandates, the Overlays act as a sort of beacon for privacy officers and information technology professionals. “Privacy and security pros need to work together,” MITRE's Julie Snyder, CIPP/G, CIPP/US, CIPM, CIPT, said. “Part of this endeavor was to take some of the guess work out of this.” She added, “We have also written up a justification to help security pros understand privacy and vice versa.”
For organizations across the spectrum, both public and private, bridging the gap between technical implementation and privacy risk and analysis is paramount, but extremely challenging. Booz Allen Hamilton's Howard Gill, CIPP/US, said these Overlays can play a key role in bringing those disparate sides together.
“This is what helps privacy folks explain to security folks why a given security control should be put in place instead of another.” - Howard Gill
“Most CPOs may never get down to applying a control; that’s usually done by a team of security people,” Howard said. “But part of the process of selecting controls is knowing the level of privacy risk. This is where the CPO gets involved. He or she determines the appropriate level of risk.” The Overlays then help identify the level of risk of a given control, he said, adding, “This is what helps privacy folks explain to security folks why a given security control should be put in place instead of another.”
Hillary Fielden, CIPP/G, CIPP/US, CIPT, also of Booz Allen Hamilton, also stressed that the Overlays are not designed like privacy impact assessments. “These don’t answer the question: Is this data set a good thing? It, rather, protects PII against security threats.”
Snyder has an information security background, and she helped the process along by interpreting the IT side of things for the team. When something came up, she’d say, “Hey, let’s go talk to the DoD, the IC agencies or civil agencies to get their perspectives on how they could best use this.”
Essentially, the Overlays are intended for the implementers, Howard said, and those are generally going to be the tech folks.
Fielden also brought her experience in operationalizing policy into the Tiger Team process. Operationalizing policies is a difficult challenge, she said. How do you distill policy into workable solutions? “As a team, we would going through policies line by line, word by word and talk through them.”
Plus, policy changed during the Tiger Team’s project. “It’s important to note,” said Oleinick, “NIST’s 800-53 changed during the process. There was a lot of work after that change.”
"...As a methodology, these could be used elsewhere. It provides a reasonableness standard, so if a big breach happens, courts could say, ‘Hey, there a standard for that,’ and point to these Overlays.” - Lewis Oleinick
But even with these changes, the Overlays are consistent. Fielden said the Overlays could be implemented by any agency and that adds value.
Another huge component of the Overlays includes how best to handle healthcare information—including military healthcare data and medical treatment facility data—so as not to violate HIPAA. Booz Allen Hamilton's Jeremy Miller played a large role providing guidance on how to adjust for HIPAA and health information.
The Tiger Team says these Overlays have broader implications beyond CNSS systems. Oleinick said, “CNSS drivers are federally based, but as a methodology, these could be used elsewhere. It provides a reasonableness standard, so if a big breach happens, courts could say, ‘Hey, there a standard for that,’ and point to these Overlays.”
Gill agrees that there a future for the Overlays in the commercial space. “The Overlays make it far easier for organizations that want to evaluate privacy controls. If they can’t properly apply privacy controls using COBIT or ISO 27001, they can map controls over to NIST standards. In that regard, I think the Overlays will add value for privacy pros across the board, whether we’re talking about the DoD or commercial systems.”
“It’s very hard to compile one-stop shop privacy-related controls to security-related controls outside of the Overlays,” said Gill. “You’d be hard pressed to find one. I think it will find its way into broader use as people see the benefits.”