New NIST draft embeds privacy into US govt security for the first time

A draft of new IT security measures by the US National Institute of Standards and Technology (NIST) has for the first time pulled privacy into its core text as well as expanded its scope to include the internet of things and smart home technology.

The proposed "Security and Privacy Controls for Information Systems and Organizations" will be the go-to set of standards and guidelines for US federal agencies and acts as a baseline for broader industry. As such, it has a huge impact on how technology is used and implemented across America.

This version of the document – its fifth draft – concerns itself with edge computing: the rapidly expanding world of interconnected systems and devices that continue to be added to IT systems and the broader internet.

The foreword to this draft references the "sobering assessment" of the Task Force on Cyber Defense earlier this year on the risk that all these new devices and systems represent to critical infrastructure.

"The cyber threat to US critical infrastructure is outpacing efforts to reduce pervasive vulnerabilities," that report noted, "so that for the next decade at least the United States must lean significantly on deterrence to address the cyber threat… It is clear that a more proactive and systematic approach to U.S. cyber deterrence is urgently needed."

As such, NIST has attempted to do just that and be proactive in pushing a "systemic approach" and as a result has decided it needs to cover the new reality of everything from the internet of things (IoT) to mobile devices to things like Amazon's Alexa digital assistant (although no actual products get name-checked).

Privacy

With so many of these powerful computing devices now in the hands of millions of private citizens, that review has inevitably led NIST to consider privacy implications and for the first time privacy has gone from being an appendix to being pulled into the main body of the document.

"The ultimate objective is to make the information systems we depend on more penetration resistant to attacks; limit the damage from attacks when they occur; and make the systems resilient and survivable," the document states.

Another interesting side effect of the new focus is that NIST has stopped pretending that it is only influencing federal agencies (all federal agencies will now be required to follow this NIST guidance following executive action by President Trump) and is actively pitching its contents to private enterprise in the hope of building a more resilient overall network.

Major changes include:

• A focus on improved outcomes rather than a general security overview
• Fully integrating privacy controls into security controls and spending more time digging into the relationship between privacy and security
• Separating the process of selecting of controls from the actual controls – i.e. allowing organizations other than federal agencies to dip in to the document and grab relevant information without having to wade through irrelevant procurement information (that info has been pushed into a separate document).
• Greater integration with other risk management and cybersecurity approaches, including the use of common language
• Updated information on systems used to analyze threats and attacks

The addition of privacy concerns is especially stark – the word "privacy" appears more than 2,000 times in the 500-page document. It contains information on both philosophical and pragmatic approaches to privacy to help sysadmins balance security and privacy concerns.

"Individual privacy cannot be achieved solely through securing personally identifiable information," it notes. "Consequently, this publication contains controls designed to meet privacy requirements and to manage the privacy risks associated with an organizations’ creation, collection, use, processing, storage, maintenance, dissemination, disclosure, or disposal of personally identifiable information separate from security concerns."

Among other things, it argues for a specific privacy program and separate privacy-focused training and includes two extensive appendices that track the privacy requirements and considerations for all the different named-and-numbered controls in the document.

It calls for organizations to:

• Establish and maintain a comprehensive privacy program
• Ensure compliance with privacy requirements and manage privacy risks
• Monitor Federal law, regulation, and policy for changes
• Designate a senior agency official for privacy – who is responsible and accountable for the privacy program
• Ensure coordination between privacy and other programs

Other signs of a more consumer focus is a stress on companies gaining people's consent if any systems gather personally identifiable information – and doing so in plain language so people understand what they are agreeing to.

An example: "When developing or purchasing consent tools, organizations consider the application of good information design procedures in all user-facing consent materials; use of active voice and conversational style; logical sequencing of main points; consistent use of the same word (rather than synonyms) to avoid confusion; the use of bullets, numbers, and formatting where appropriate to aid readability; and legibility of text, such as font style, size, color, and contrast with surrounding background."

Overall, while the document is very long and pretty dense, it is a key document for the network rules that will apply across tens of thousands of different IT systems and in that sense, the greatly expanded consideration of privacy and of devices beyond the traditional servers and laptops approach should bring government guidelines into the modern digital world.

Comments on this draft are due by September 12 and NIST hopes to release a final draft in October with a final version released just before year-end. ®