Privacy Section a Focus in NIST’s Revisions Process for Cybersecurity Framework
The National Institute of Standards and Technology on Thursday continued its push for public input on the Cybersecurity Framework, convening a workshop at North Carolina State University’s (NCSU) Centennial campus in Raleigh. The workshop -- set to run through Friday -- and a comment period running through Dec. 13 will help the agency revise the framework in advance of the expected release of a final version in February. Although NIST is examining all aspects of the framework, one of the main areas of interest since a preliminary version dropped in late October has been Appendix B, the framework’s privacy and civil liberties section.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Appendix B, which President Barack Obama’s cybersecurity executive order mandated be based on the Fair Information Practice Principles (FIPPs), outlines a set of privacy and civil liberties protections that directly corresponds with the Framework Core (CD Oct 23 p1). Privacy advocates and lawyers we spoke to said the expanded version of Appendix B that appeared in the preliminary framework is a good start, but believed that it may get pushback from some industry stakeholders who may view it as being overly prescriptive.
Appendix B primarily references Appendix J in revision 4 of the NIST Special Publication 800-53 federal information systems security and privacy standard, but also includes some references to the ISO/IEC 27001 information security management system standard. Former Department of Homeland Security Chief Privacy Officer Mary Ellen Callahan, chair of Jenner & Block’s privacy law practice, said it’s “striking that but for [the NIST standard’s Appendix J], there’s no other concrete objective standard on which to consider privacy integration in IT systems.” Callahan, who was involved in the process of creating the NIST standard’s Appendix J, said “there wasn’t such a concerted effort to integrate privacy into information security” before that standard’s release.
NIST’s decision to base so much of the framework’s Appendix B on an existing government standard makes the section “more stringent than current business practices,” said Michelle Richardson, American Civil Liberties Union legislative counsel. “Having these government principles might be more privacy protective than current business practices, which are meant to follow [the] letter of the law.” Appendix B as it exists in the preliminary framework is “a fantastic start,” with details that are consistent with FIPPs and with DHS privacy practices, she said. “It follows private information throughout the cybersecurity process and provides meaningful guidance regarding the collection, use and retention of information.” The Electronic Privacy Information Center plans to submit comments on the framework, but has not yet fully formed its official stance on the framework, said Amie Stepanovich, director of EPIC’s Domestic Surveillance Project.
The framework will be “incredibly influential” once it’s finalized -- and its Appendix B will likely establish “what the standard of care is on privacy” for organizations that adopt the framework, said former IBM Chief Privacy Officer Harriet Pearson, a partner in Hogan Lovells’ privacy and information management practice who planned to attend the NCSU workshop. It’s “noteworthy” that NIST has expanded its focus on Appendix B during the NCSU workshop, giving the section a separate breakout input group, she said. Stakeholder input is likely to include some discussion of Appendix B’s scope and how to determine whether an organization has effectively implemented the privacy methodology, Pearson said. Industry perspectives on Appendix B are likely to be “consistent from sector to sector” because privacy is an issue that cuts across all sectors, she said. “That’s good because it is supposed to be a multi-sector exercise."
Former DHS Assistant Secretary for Policy Stewart Baker, a partner with Steptoe & Johnson whose practice includes privacy and cybersecurity issues, said the preliminary framework did address some of his concerns about Appendix B, but in “other cases, I fear they actually made things a little worse because they were also listening to privacy groups that were trying to make the privacy appendix more burdensome.” The section as it stands, still “creates a whole bunch of hurdles and introduces disincentives to do cybersecurity because it adds to the cost of doing cybersecurity by ladling on vague -- and not-so-vague -- burdensome privacy requirements,” he said. Baker said some of the industry stakeholders he has spoken with are also concerned about Appendix B’s scope and are likely to submit comments.
NIST should either remove references to Special Publication 800-53’s Appendix J, or “put forward guidance that made it clear that companies have a great deal of leeway in finding ways to implement the privacy appendix,” Baker said. “If they made clear at every point that the goal is cybersecurity and that privacy is something you do in conjunction with a program that is meant to be effective from a cybersecurity point of view -- and that at no time should these privacy considerations restrict your ability to implement strong cybersecurity, then maybe it wouldn’t turn into a privacy tax. But I don’t think that’s easy for them to do, politically or technically.” NIST is likely to fall back on the cybersecurity executive order’s privacy requirements, Baker said. The White House should re-evaluate those requirements, he said. “There are not a lot of demonstrated privacy invasions resulting from cybersecurity,” Baker said. “They're trying solve a problem that hasn’t been shown to be a problem, and that is the worst way to do privacy policy."
Pearson cautioned against approaching Appendix B “from a perspective of whether it will be a burden or not.” The important point from industry’s perspective “is that there is a huge importance to improving cybersecurity,” she said. “The real test for the framework’s privacy methodology is, can it be refined so that it is, like the rest of the framework, as practical and objective as it can be?” Pearson said companies she’s talked to understand there are privacy implications to many cybersecurity activities “and it’s important to address them. Focusing on these considerations and suggesting how companies should address them is really key."
Industry stakeholders who have concerns about Appendix B being too prescriptive can find comfort that “there is wiggle room here, and there definitely will be different practices on a very practical level depending on whether you're in the private sector or government,” the ACLU’s Richardson said. “To me this really seems flexible enough to account for the different roles of people who will be following this.” The ACLU does not want to see Appendix B “move backward,” she said. “I think at this rate, legislation may be delayed for quite a while, so we appreciate that the administration will have to move ahead if Congress can’t get it together.”
The current version of Appendix B actually “looks a lot less like a backdoor privacy rule” than some had previously feared, Jenner & Block’s Callahan said. Stakeholders obviously have a great deal of time left to contribute input, so they should focus their efforts on pointing to “concrete objective standards” that could complement or substitute Special Publication 800-53’s Appendix J, she said.