National Institute of Standards and Technology (NIST)
About the National Institute of Standards and Technology
The National Institute of Standards and Technology (NIST) was founded in 1901 and is now part of the U.S. Department of Commerce. Congress established the agency to help improve U.S. industrial competitiveness. From the smart electric power grid and electronic health records to atomic clocks, advanced nanomaterials, and computer chips, innumerable products and services rely in some way on technology, measurement, and standards provided by the National Institute of Standards and Technology.
Who at NIST engages with privacy?
Most of the privacy-related research occurs within the Information Technology Laboratory (ITL)
ITL’s strategy is to maximize the benefits of information technology (IT) to society through a balanced IT measurement science and standards portfolio of three major activities: fundamental research in mathematics, statistics, and IT; applied IT research and development; and standards development and technology transfer.
NIST Privacy Engineering program supports the development of trustworthy information systems by applying measurement science and system engineering principles to the creation of frameworks, risk models, guidance, tools, and standards that protect privacy and civil liberties.
Additional privacy-related research is integrated in other programs, including cryptography, trusted identities, usability, and information assurance.
Which NIST guidance is most relevant to privacy?
NIST provides standards and guidelines to Federal agencies for various purposes including supporting agencies’ ability to meet their obligations under regulations and OMB policy. The below guidance might be of particular interest to those managing privacy programs:
- NIST Internal Report (NISTIR) 8053 - De-Identification of Personal Information (Oct. 22, 2015)
- NISTIR 8062 (draft) - Privacy Risk Management for Federal Information Systems (May 2015)
- NIST Special Publication (SP) 800-53, Revision 4 - Security and Privacy Controls for Federal Information Systems and Organizations (Apr. 30, 2013)
- NIST SP 800-53A, Revision 4 - Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans (Dec. 18, 2014)
- NIST SP 800-66, Revision 1 - An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (Oct. 1, 2008)
- NIST SP 800-122 - Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) (2010)
- NIST SP 800-171 - Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (Jan. 14, 2016)
Which NIST guidance is specific to privacy risk management?
In support of OMB Circular A-130, NIST is working to augment existing NIST guidance on the Risk Management Framework (RMF) to specifically address privacy risk management.
In the short-term, privacy programs may want to review the following Special Publications for RMF standards and guidelines:
- NIST SP 800-18 - Guide for Developing Security Plans for Federal Information Systems (Feb. 2006)
- NIST SP 800-30 - Guide for Conducting Risk Assessments (Sept. 2012)
- NIST SP 800-18 - Guide for Applying the Risk Management Framework to Federal Information Systems (Feb. 2010)
- NIST SP 800-39 - Managing Information Security Risk—Organization, Mission, and Information System View (Mar. 2011)
- NIST SP 800-60: Volume I - Guide for Mapping Types of Information and Information Systems to Security Categories (Aug. 2008)
- NIST SP 800-60: Volume II - Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories (Aug. 2008)