Contractors to the federal government and information security professionals are no doubt familiar with NIST Special Publication 800-53. Provided by the National Institute of Standards and Technology (NIST), the 800-53 is a set of controls intended to protect federal information systems from “hostile cyber attacks, natural disasters, structural failures, and human error.” Since their inception, these controls have gone through a handful of revisions. Most recently, in April 2013, NIST released the fourth version, which added the Appendix J: Privacy Controls Catalog (App. J) to its catalog of controls.
So how does App. J align with other prevailing data privacy best practices? How useful is it as a data privacy framework? And what are some practical considerations when implementing it? This article will address all three of these questions.
Aligning with Data Privacy Best Practices
As NIST states, the App. J controls were implemented for several reasons:
- To provide a structured set of privacy controls based on best practices.
- To establish a relational link between data privacy and information security controls.
- To demonstrate how NIST’s Risk Management Framework (RMF) can apply to privacy controls.
- To promote cooperation among privacy and security officers to facilitate efficient compliance with regulations, laws, standards and best practices.
The 26 controls are divided into eight separate families. Here’s a quick summary:
|Authority and Purpose||AP-1||Authority to Collect|
|Accountability, Audit and Risk Management||AR-1||Governance and Privacy Program|
|AR-2||Privacy Impact and Risk Assessment|
|AR-3||Privacy Requirements for Contractors and Service Providers|
|AR-4||Privacy Monitoring and Auditing|
|AR-5||Privacy Awareness and Training|
|AR-7||Privacy-Enhanced System Design and Development|
|AR-8||Accounting of Disclosures|
|Data Quality and Integrity||DI-1||Data Quality|
|DI-2||Data Integrity and Data Integrity Board|
|Data Minimization and Retention||DM-1||Minimization of Personally Identifiable Information (PII)|
|DM-2||Data Retention and Disposal|
|DM-3||Minimization of PII Used in Testing, Training and Research|
|Individual Participation and Redress||IP-1||Consent|
|Security||SE-1||Inventory of PII|
|SE-2||Privacy Incident Response|
|TR-2||System of Records Notice and Privacy Act Statements|
|TR-3||Dissemination of Privacy Program Information|
|Use Limitation||UL-1||Internal Use|
|UL-2||Information Sharing with Third Parties|
How do these controls compare to other data privacy frameworks? To answer that we have to identify these “other data privacy control frameworks.” For this comparison, we’ll use the Fair Information Practice Principles (FIPPs), OECD Guidelines and APEC Privacy Principles. All of these frameworks present a fundamentally sound baseline of data privacy controls and are commonly used by organizations to build, assess and improve their privacy programs. The common privacy requirements among the FIPPs, OPEC and APEC controls are: Accountability; Security; Data Quality; Use Limitation; Data Minimization; Purpose/Choice; Individual Participation and Access; and Transparency/Notice. So, how does App. J stack up against them?
- Accountability: Requires organizations and individuals to be accountable for compliance with applicable privacy practices. This is captured in App. J’s AR family.
- Security: Protects data and PII from unauthorized use, access or disclosure. App. J’s SE family addresses this.
- Data Quality: Ensure that PII is accurate, complete and timely. App. J includes this requirement in its DI family.
- Data Minimization: Collect only the minimum amount of data necessary to accomplish its business goals, and retain the data for no longer than is needed. App. J addresses this in its DM family.
- Purpose/Choice: Individuals should be told how the collecting organization intends to use, maintain and share data. The AP family in App. J covers this.
- Individual Participation: Individuals should be able to reasonably control how their data is used, be able to agree to such use, be able to have access to their own data and be able to have inaccuracies fixed. App. J has controls specifically applicable to individual participation in its IP family.
- Transparency/Notice: Organizations should be open with individuals on how data is collected, used, shared and stored. App. J has a corresponding control in its TR family.
Given the foregoing, it’s clear that NIST 800-53 Appendix J Privacy Controls align well with established privacy control sets. There are no gaps between it and the three baselines in this comparison. At this point, App. J shows no shortcomings.
Usefulness as a Data Privacy Control Set
A quick look at the text of App. J shows the detail and depth provided on each control. In fact, some controls have “control enhancements” that add specificity, functionality and strength to numerous controls. These enhancements can be leveraged by organizations to the extent the enhancements are applicable to the organization’s system(s). Also, NIST does an admirable job keeping its requirements technology- and policy-neutral, which allows more meaningful applicability across a larger array of organizations.
App. J has inherited the robust, granular nature of the larger 800-53 control set, which makes it unique in the world of data privacy frameworks. As such, App. J is a very useful privacy control set. In fact, it’s even more useful than the fundamental control sets it’s based on because it offers more explanation and detail.
Practical Considerations for Using App. J
These data privacy program considerations will apply differently depending on why an organization is using App. J. For instance, some organizations, such as federal contractors, are required to be compliant with the App. J controls while others choose them as a best-practice data privacy model.
If a federal contractor wants to do business with the government, and that business requires the contractor to handle, use or store federal information, the government makes the contractor demonstrate compliance with NIST 800-53 as a condition of contract award. These companies don’t have a choice but to comply with the App. J privacy controls. This mandate limits the practical considerations when implementing the controls, but there are still a few things worth noting. Some of the App. J controls may not be applicable to the contractor, which means that the contractor does not have to comply with them. Seems simple enough. But some contractors are erroneously concerned that strict compliance with App. J means making unnecessary modifications to their systems. Also, even though App. J is tied closely to 800-53’s security controls (it is an appendix to those controls, after all) contractors are not required or even expected to incorporate data privacy compliance activities with their information security program. Although integrating privacy and security is a very sound strategy, the lack of a requirement to do so allows contractors to use discretion regarding the extent of such integration.
On the other hand, commercial entities are not legally bound to comply with App. J. Instead, they choose App. J as a best practice on which to base their privacy programs. In this scenario, an organization is afforded much more flexibility in its approach to App. J compliance. Without the oversight of the feds, commercial companies can pick which App. J controls to implement and how to implement them. This allows for the development of a tailored privacy program, where less important controls can be discounted or ignored. In addition, these organizations can combine App. J with other data privacy and information security controls sets to create a hybrid framework that’s optimized for the company’s mission and capabilities.
Finally, remember that App. J is very granular in nature. It may be overkill for smaller organizations, or for those that have immature data privacy programs. However, App. J can still be a very useful tool for these organizations to the extent it provides a roadmap to future, robust privacy compliance.
The App. J privacy controls offer a comprehensive data privacy and data protection framework that is/can be flexibly applied to the majority of companies that handle PII. It also lends itself to integration with information security controls, which in my opinion is very important. So my advice: Read it. Learn it. Use it.