Recent Posts

NIST Privacy Workshop Aims at 'Wherever Privacy Risks Arise'


(Gaithersburg, MD)  The National Institute of Standards and Technology (NIST) hosted the first of a two-day privacy engineering workshop here today as a follow-on to the February release of its Framework for Improving Critical Infrastructure Cybersecurity.  Based on the first day's general sessions, the scope of NIST's privacy focus appears to be far broader than, and perhaps only slightly connected to, its origins in cybersecurity.

Although the penultimate version of the cybersecurity framework included an extensive privacy methodology appendix, the final version featured a more stripped-down privacy approach in response to the objections of critical infrastructure owners who perceived the original appendix as overly prescriptive. The privacy workshop is intended to help fill in the resulting privacy gaps in the framework, aiming to flesh out what NIST says is the paucity of identifiable "technical standards or best practices to mitigate the impact of cybersecurity activities on individuals’ privacy or civil liberties." 

Despite its origins in the development of a cybersecurity framework, the workshop addresses a wide range of privacy issues, with the discussions encompassing privacy protections across a number of disciplines and industries. Specifically, the focus of the workshop is "privacy engineering," namely to "develop reusable tools and practices to facilitate the creation and maintenance of systems with strong privacy postures," Naomi Lefkovitz, Senior Privacy Policy Advisor, Information Technology Lab at NIST said.

When asked during Q and A whether NIST's approach extends beyond the privacy issues surrounding the cybersecurity framework, Lefkowitz said "we hope this is useful in many disciplines, wherever privacy risks arise".  During the development of the framework, she said "we lacked this whole foundational tool and vocabulary for privacy," NIST "need to step back a do a little more foundational work first."

Although most of the privacy-oriented attendees (few of the attendees had attended the earlier NIST cybersecurity workshops, based on a show of hands) seemed pleased by the workshop's discussion topics, a few critical infrastructure privacy representatives again expressed concern about the wide-ranging technical scope of NIST's latest privacy effort, fearing that it might produce far more granular privacy recommendations than they've seen in other, more policy-oriented venues.  Following the workshop, NIST plans to produce a report that is the basis for a NIST Interagency or Internal Report (NISTIR), solicit comments on that document and host a further workshop to refine the draft NISTIR.  

Twitter Delicious Facebook Digg Stumbleupon Favorites More