Revision of SP 800-53 Addresses Current Cybersecurity Threats, Adds Privacy Controls
A major revision of a Federal Information Security Management Act (FISMA) publication released today by the National Institute of Standards and Technology (NIST) adds guidance for combating new information security threats and incorporates new privacy controls to the framework that federal agencies use to protect their information and information systems.
The public draft of Security and Privacy Controls for Federal Information Systems and Organizations, Special Publication (SP) 800-53, Revision 4 may be found at http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-53-Rev.%204. Comments on SP 800-53, Revision 4 are requested by April 6, 2012.
The way they handle Privacy Controls is very good. They have created a new Appendix "J".
PRIVACY CONTROLSPROVIDING PRIVACY PROTECTION FOR FEDERAL INFORMATIONAppendix J, Privacy Control Catalog , is a new addition to NIST Special Publication 800-53. It is intended to address the privacy needs of federal agencies. The objective of the Privacy Appendix is fourfold:
• Provide a structured set of privacy controls, based on international standards and best practices, that help organizations enforce requirements deriving from federal privacy legislation, policies, regulations, directives, standards, and guidance;
• Establish a linkage and relationship between privacy and security controls for purposes of
enforcing respective privacy and security requirements which may overlap in concept and in
implementation within federal information systems, programs, and organizations;
• Demonstrate the applicability of the NIST Risk Management Framework in the selection,
implementation, assessment, and monitoring of privacy controls deployed in federal
information systems, programs, and organizations; and
• Promote closer cooperation between privacy an d security officials within the federal
government to help achieve the objectives of senior leaders/executiv es in enforcing the
requirements in federal privacy legislation, po licies, regulations, directives, standards, and
There is a strong similarity in the structure of the privacy controls in Appendix J and the security
controls in Appendices F and G. Moreover, the us e of privacy plans in conjunction with security plans provides an opportunity for organizations to select the appropriate set of security and privacy controls in accordance with organizational mission/business requirements and the environments in which the organizations operate. Incorporating the same concepts used in managing information security risk, helps organizations implement privacy controls in a more cost-effective, risked-based manner while simultaneously protecting individual privacy and meeting compliance requirements. Standardized privacy controls provide a more disciplined and structured approach for satisfying federal privacy requirements and demonstrating compliance to those requirements.