NIST floats framework for privacy risk management in Fed systems

Federal agency working to understand how use of federal systems impacts a user's personal privacy

NIST last week released the first draft of a framework intended to define how federal information systems impact the privacy of individuals and how to better build and manage those systems.

NIST (The National Institute of Standards and Technology) is seeking public input on the initial draft of the Privacy Risk Management for Federal Information Systems draft report. The draft is a first effort to understand privacy risks and how to build privacy principles for federal systems in order to mitigate those risks.

The document introduces a privacy risk management framework (PRMF) for anticipating and addressing risks that result from the processing of personal information in federal information technology systems.

The government is looking for repeatable methods to measure impacts on privacy, something that is not defined in existing tools such as the Fair Information Practice Principles (FIPPs) and privacy impact assessments (PIAs).

NIST has developed three privacy objectives: "predictability, manageability, and disassociability." The hope is these objectives form the foundation of privacy-preserving information systems, and allow developers to build systems that implement privacy goals and support management of privacy risk.

NIST developed the draft with input from privacy experts in a series of open comment periods and workshops.

NIST has already developed cybersecurity risk frameworks, namely the Risk Management Framework (RMF), which helps organizations select appropriate security controls for information systems. Using that model, NIST developed the Privacy Risk Management Framework (PRMF) that is key to the draft report it released.

The comment period on the document, known as NIST IR 8062, is open until July 13. Comments can be sent to using NIST's comment matrix.

Show Comments