The U.S. government is poised to release an update to the federal guiding document for security and privacy in 2017, but, before it does so, it wants feedback from privacy and security professionals on how to make it a more useable, meaningful document. The revision of what's officially called NIST Special Publication 800-53 follows the government's update to Circular A-130, which directs government agencies on how information is to be managed. 

At an event this week, Office of Management and Budget Senior Manager for Privacy Marc Groman used his opening remarks to impress upon privacy pros the importance of this moment, citing government employees' mission to serve the American people and privacy's role in helping agencies operate more efficiently in their individual missions. 

Ron Ross is a fellow at NIST, and he helped author the original 800-53 document, which was released in 2005 and has since seen four revisions. Ross said this most recent iteration of 800-53 is especially important given the threat landscape, and new controls and enhancements must be made to respond. 

"What content is missing? Do we have the right structure mechanisms in place to make those controls easy to use and accessible to you in your organizations?" -Ron Ross, NIST

The government's workshop, held at the Department of Transportation yesterday, asked privacy pros to weigh in, specifically, on Appendix J of 800-53, last revised in 2013, which comprises privacy controls for federal agencies. It wants to know, specifically, whether "the current organization of Appendix J around the Fair Information Practice Principles" are sufficient given privacy pros' risk-management responsibilities. Or are changes needed? What will push organizations from compliance-based privacy assessments to risk-based approaches? 

"This is an opportunity, based on the new A-130, to fine-tune those controls," said Ross. "What content is missing? Do we have the right structure mechanisms in place to make those controls easy to use and accessible to you in your organizations?" 

The resounding answer from pros who later spoke candidly in breakout sessions was: Things need to get better. Much of the discussion centered around the disconnect between security and privacy controls, despite the fact that most of the issues are, as NIST privacy engineer Sean Brooks called them, "interdisciplinary problems that require interdisciplinary solutions." 

Ross said the new A-130 document is significantly stronger on integrating privacy and security than its predecessor, and he said that kind of policy statement "makes a very powerful argument" about why Appendix J and Appendix F — which applies to security controls — must "be together to be successful." 

Jamie Danker, senior privacy officer of National Protection and Programs Directorate at the Department of Homeland Security, said this process itself reflects the growth in the privacy profession and its level of maturity. It's significant, she said, that privacy pros are being put on "equal footing" with security pros, and it reflects an understanding that privacy is an interdisciplinary field. 

Given that, the government is also considering whether there's unnecessary overlap in 800-53 as it stands, and whether controls like audit and accountability, for example, which exist in Appendix F (security), should stand separate from controls like Appendix J's "accountability, audit and risk management." Isn't that redundant?

Some of the discussion in the breakout sessions explored the idea of merging the two documents, and creating a common lexicon, so security pros and privacy pros within agencies are speaking the same language. There were frequent references for the need for a "crosswalk" to bridge the divide between the two teams. 

"Transparency," for example, has a very different meaning in the engineering discipline than the privacy discipline. 

Ross, coming from the security side of things, said it's most important to look at big-picture objectives. 

"As long as we're clear on what the expectations are, we can work out the differences in the language," he said. "We just have to be clear on what we're trying to say." 

That's where the Fair Information Practice Principles are critical, Brooks said, in helping entities describe, "What do you want to be as an organization when it comes to privacy?" But, he said, there needs to be a bridge created between high level goals and principals and actual program design for information services. 

"Transparency," for example, has a very different meaning in the engineering discipline than the privacy discipline. 

Ross said he's thinking of the new guidance like this: "It's kind of like we have a house, and we [security pros] invited you into the house. And you have your own room, but you're kind of, you know, in your own room in the back of the house. We want to invite you out of your room, so you're wandering all around the house, and we change the name on the front door."

Comments on the next draft of Appendix J and 800-53 are invited through September 30 at privacyeng@nist.gov, and then the issue moves to the newly formed Federal Privacy Council's risk management subcommittee. The next iteration of 800-53 is due in 2017.

Top photo: Naomi Lefkovitz, senior privacy policy advisor for NIST