Ron Ross on NIST's New Privacy Controls NIST's Senior Computer Scientist Discusses SP 800-53
With the expected arrival of NIST's fourth revision to Special Publication 800-53 in December, more privacy controls will be included to the security control guidance, establishing a stronger relationship between privacy and security.

It's happening now because of the "explosion" of information technology, says Ron Ross, the National Institute of Standards and Technology's senior computer scientist. "Small mobile devices, security and privacy are becoming even more critical than ever, and we wanted to make sure that there was a disciplined and structured approach on how to enforce some of the best practices that have been around for quite some time," he says in an interview with's Eric Chabrow (transcript below).

SP 800-53 has just one privacy control, which requires agencies to conduct a privacy impact assessment to assure data confidentiality, one of the three cornerstones of security, along with accessibility and integrity. With the fourth revision, titled Recommended Security Controls for Federal Information Systems and Organizations, there's expected to be 23 privacy controls in the guidance (see New NIST Guidance to Feature Privacy Controls). "It was really important to understand that there's a commonality among (security and privacy) controls, and the overlap was in the area of confidentiality," Ross says.

The privacy controls being added to SP 800-53 cover transparency; individual participation and redress; authority and purpose; data minimization and retention; use limitation; data quality and integrity; security; and accountability, audit and risk management.

Ross is the lead author of SP 800-53 and the new privacy controls, Security and Privacy Controls for Federal Information Systems and Organizations.

In the interview, Ross addresses:

  • How the new controls will help agencies measure their compliance with privacy laws and regulations.
  • Why the new privacy controls alone won't prevent the loss of personally identifiable information, but represent a first step toward building a culture within an organization to safeguard private information.
  • Other types of controls NIST is considering adding to the SP 800-53 revisions, including those involving insider threat, web-based and application security, mobile computing, cloud computing and industrial control systems.

Ross leads NIST's Federal Information Security Management Act compliance team. A graduate of the United States Military Academy at West Point, Ross served in a variety of leadership and technical positions during his 20-year career in the Army. During his military career, Ross served as a White House aide and as a senior technical advisor to the Department of the Army. He is a graduate of the Program Management School at the Defense Systems Management College and holds a master and Ph.D. in computer science from the United States Naval Postgraduate School.

Solid Foundation of Security

ERIC CHABROW: Weren't privacy controls part of 800-53 already? What's new here?

RON ROSS: We actually had one control in the entire catalog. It was the one that would require people to do a privacy impact assessment, and for the longest time we've wanted to expand the number of privacy controls to cover more territory. There are controls in 800-53 that cover the security aspects for information and information systems, confidentiality being one of the three security objections, the others being integrity and availability. Confidentiality was always at the heart of privacy. Privacy really does rely on a solid foundation of information security, but the privacy controls go a lot further than just what we described in the original security control catalog.

CHABROW: Can you give us some indications of what some of these controls are?

ROSS: These are all tied to the fair information practice principle, the international standards-based practice principles that tie back to the privacy act of 1974. Some of the controls that go beyond what we would typically find in a security catalog would be controls for transparency, giving privacy notice, dissemination of privacy program information, authority and purpose, authority to collect different types of privacy data and specifying what purpose the data is being collected for. If you're looking at security and privacy in kind of Venn diagram, there are some commonalities in the center of the diagram, but the privacy controls do extend considerably beyond what security would normally cover.

CHABROW: Why are you doing this now?

ROSS: One of the big reasons is with the explosion of information technology, when I talk about this in terms of our digital footprint, as we start to see more aggressive use of information technologies. Small mobile devices, security and privacy are becoming even more critical than ever, and we wanted to make sure that there was a disciplined and structured approach on how to enforce some of the best practices that have been around for quite some time. Having these privacy practices expressed in specific control language kind of levels the playing field so privacy requirements can be specified in terms of these specific privacy controls. It also gives the auditors and the folks who come along and do privacy oversight to make sure that we're in compliance with privacy regulations, OMB (Office of Management and Budget) policies and the actual legislation. They can have more effective ways to measure whether agencies are actually in compliance.

Security-Privacy Synergy

CHABROW: The draft states that the new controls would establish a relationship between privacy and security controls to enforce respected privacy and security requirements that may overlap in concept and implementation. What is meant by that? Is there some conflict there or not?

ROSS: This is actually very interesting. When I look at the different federal agencies, and I've been working with all of them for a long time in regards to the security standards and guidelines that we produce, it was interesting because the privacy offices and security offices usually are very separate in these organizations. Many times these individuals don't even know each other or talk to each other. What brings these two areas of concentration together today is the information technology. The ability to have good privacy today is an area where we rely on and we're very dependent on information technology. The vast majority of information that we store, process and transmit are in our information systems. It was really important to understand that there's a commonality amongst these controls, and the overlap was in the area of confidentiality. So in order for privacy to be enforced in a rigorous fashion within federal organizations that depend upon information technology, you have to have that solid foundation of security providing the confidentiality aspects or the protection from non-disclosure or unauthorized disclosure. And from that is a solid basis of security controls for confidentiality. With that, we now have the ability to expand and address the rest of the privacy concerns in that same disciplined and structured fashion.

CHABROW: Is there sort of a merging of information security and privacy into one organization? Would that eventually happen or not?

ROSS: It's hard to say. One of the objectives here is we've been developing these controls for probably a year now with the privacy and subcommittee, the CIO Council. When I talk about the new controls to privacy groups, there is actually a lot of excitement about elevating this area of privacy up to the level of security, because security and privacy are very important to citizens and all the people who work within the federal government. I believe that over time, since both privacy offices and security offices rely on this bed of information technology, I do see these offices coming closer together. That doesn't mean that the legislation is going to be the same. We have different pieces of legislation. There are different policies that address security and privacy issues. But the folks that have to actually implement the controls and make sure that the requirements are satisfied, whether it's for FISMA, the Privacy Act of '74 or OMB policies, will probably need to work more closely together because their common ground now is information technology.

CHABROW: If these controls were in place half a year ago, would we be seeing as many headlines about breaches and the loss of personally identifiable information as we have?

ROSS: That's a great question. You can produce the best controls in the world, whether on the security side or privacy, but they really have to be specified by an organization. In other words, they have to be selected, chosen for implementation, implemented effectively and there has to be a culture of both security and privacy within the organization. Just having the controls is a great first step to getting greater specificity for the privacy requirements. Again, as I said before, have more of a level playing field for assessing those controls to see if they are effective. But the hope is that with good controls it raises the level of awareness within organizations as well. It also allows people to have common language.

When we're talking about security controls, 800-53 provides us a common language. When we talk about access control or identification authentication, all of us knew what we were talking about. Now with privacy controls we have that same possibility. When we talk about data minimization and retention, data quality and integrity, authority and purpose, some of the privacy control families will now have very common language with which to specify these controls and also to ensure they are implemented. I think it's an important first step and the real question is how effective will agencies be in implementing these controls once they've been approved.

Other Controls to Be Added

CHABROW: Privacy controls are just one component of the revisions planned for 800-53 when it's revised at the end of the year. What else is in store for the revised 800-53?

ROSS: This has been one of the most exciting projects I've worked on since the joint task force started. We put out a data call earlier this year in anticipation of the revision coming out in December 2011, and we got just an overwhelming response back from both public and private sector organizations. Some of the best security professionals in the world provided really good recommendations to us, and we're looking at a wide variety of new topics. Insider threat is one of the big ones that I like to talk about. Working with the Software Engineering Institute at Carnegie Melon, they have a great insider threat research team up there. They've been working on this for over ten years, so we have a lot of new material that's coming in at their suggestion. We're talking about web-based and application security. Most of our cyber attacks come in from web-based, e-mail type applications. Having better web and application security is really a top priority to close down some of those cyber attacks. We're taking a look at mobile computing, cloud computing and industrial control systems. We already have one appendix in 800-53 that addresses industrial control system security, but again we're looking to go somewhat beyond that. We're looking down deep into the system. We have the security stack that goes from applications to middleware to operating systems, down to the actual firmware and the hardware. We have a brand new special publication on virus protections. I think you can anticipate having some new controls in the area of virus protection, basic input output system for those folks who are not familiar with that acronym, and then the new privacy appendix.

The attempt here is to have the most robust set of security and privacy controls for our customers, so they can have at their fingertips the ability to create the exact type of security and privacy plans that are needed to protect their organization's information, whether on the privacy or security side. One size doesn't fit all, so having this kind of a catalog, I call it "the parts bin," you can go to that parts bin and find almost anything you need to stop certain types of cyber attacks and build more resilient systems. It's really an exciting time and we've had great cooperation from our partners at the DOD (Department of Defense) and the intelligence community side-tapping into a lot of their expertise, based on their knowledge of the threats base. It's been a great partnership. With the update for "53," plus our new ads on "839" enterprise-wide risk management where we are focusing on building more resilient systems starting back at the architectural level, I think it's going to go a long way toward really changing the whole way we do cybersecurity and risk management.

Around the Network