Ron Ross on NIST's New Privacy Controls

NIST's Senior Computer Scientist Discusses SP 800-53

By , July 21, 2011.
Ron Ross on NIST's New Privacy Controls
Read Transcript

NIST's Ron Ross points out that its seminal security control guidance, Special Publication 800-53, contains only one privacy control, requiring agencies to conduct a privacy impact assessment. That will change by year's end.With his help, the National Institute of Standards and Technology will issue its fourth revision of SP 800-53, Recommended Security Controls for Federal Information Systems and Organizations, that's expected to include 23 privacy controls (see New NIST Guidance to Feature Privacy Controls).

The three cornerstones of security are integrity, availability and confidentiality, and NIST Senior Computer Scientist Ross says confidentiality is at the heart of privacy.

"Privacy relies on a solid foundation of information security," Ross says in an interview with Information Security Media Group. "But the privacy controls go a lot further than what we described in the original security-control catalogue."

The privacy controls being added to SP 800-53 cover transparency; individual participation and redress; authority and purpose; data minimization and retention; use limitation; data quality and integrity; security; and accountability, audit and risk management.

Ross, who's the lead author of SP 800-53 and the new privacy controls, Security and Privacy Controls for Federal Information Systems and Organizations sees much commonality between security and privacy controls. "In order for privacy to really be enforced in a rigorous fashion ... you have to have that solid foundation of security providing the confidentiality aspects - the protection from unauthorized disclosure," he says. "And (with) that solid base of security controls for confidentiality, we have the ability to expand to address the rest of the privacy concerns in that same disciplined, structured fashion."

Why is NIST now addressing privacy in SP 800-53? The explosive use of emerging technologies in government is a major factor. "As we start to see the more aggressive use of information technologies - the small mobile devices - security and privacy are becoming even more critical than ever," Ross says. "We wanted to make sure that there was a disciplined and structured approach on how to enforce some of the best practices that have been around for quite some time."

In the interview, Ross addresses:

  • How the new controls will help agencies measure their compliance with privacy laws and regulations.
  • Why the new privacy controls alone won't prevent the loss of personally identifiable information, but represent a first step toward building a culture within an organization to safeguard private information.
  • Other types of controls NIST is considering adding to the SP 800-53 revisions, including those involving insider threat, web-based and application security, mobile computing, cloud computing and industrial control systems.

"The attempt here is to have the most robust set of security and privacy controls for our customers," he says. "They can have, at their fingertips, the ability to create the exact type of security and privacy plans that are needed to protect their organizations' information, whether on the security or privacy side. One size doesn't fit all, so having this kind of catalogue - I call it the parts' bin - and you can go and find almost anything you need to stop certain kind of cyberattacks and build more resilient systems."

Ross leads NIST's Federal Information Security Management Act compliance team. A graduate of the United States Military Academy at West Point, Ross served in a variety of leadership and technical positions during his 20-year career in the Army. During his military career, Ross served as a White House aide and as a senior technical advisor to the Department of the Army. He is a graduate of the Program Management School at the Defense Systems Management College and holds a master and Ph.D. in computer science from the United States Naval Postgraduate School.

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE HIPAA Compliance Audits Remain on Hold

After a three-year delay, federal regulators remain tight-lipped about when the next round of HIPAA...

Latest Tweets and Mentions

ARTICLE HIPAA Compliance Audits Remain on Hold

After a three-year delay, federal regulators remain tight-lipped about when the next round of HIPAA...

The ISMG Network