National Institute of Standards and Technology (NIST)

The National Institute of Standards and Technology (NIST) was founded in 1901 and is now part of the US Department of Commerce. Congress established the agency to help improve US industrial competitiveness. From the smart electric power grid and electronic health records to atomic clocks, advanced nanomaterials, and computer chips, innumerable products and services rely in some way on technology, measurement, and standards provided by the National Institute of Standards and Technology.

The NIST Information Technology Laboratory (ITL) engages in privacy-related research through its Information Technology Laboratory and its Privacy Engineering program. Other privacy-related research is integrated in other NIST programs, including cryptography, trusted identities, usability, and information assurance.

Which NIST guidance is most relevant to privacy?

NIST provides standards and guidelines to Federal agencies for various purposes including supporting agencies’ ability to meet their regulatory obligations and governing policy. The following guidance might be of particular interest to those managing privacy programs:

• NIST Internal Report (NISTIR) 8053 De-Identification of Personal Information (Oct. 22, 2015)
• NISTIR 8062 (draft) Privacy Risk Management for Federal Information Systems (May 2015)
• NIST Special Publication (SP) 800-53, Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations (Apr. 30, 2013)
• NIST SP 800-53A, Revision 4 Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans (Dec. 18, 2014)
• NIST SP 800-66, Revision 1 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (Oct. 1, 2008)
• NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) (2010)
• NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (Jan. 14, 2016)

Which NIST guidance is specific to privacy risk management?

In support of OMB Circular A-130, NIST is working to augment existing NIST guidance on the Risk Management Framework (RMF) to specifically address privacy risk management.

In the short-term, privacy programs may want to review the following Special Publications for RMF standards and guidelines:

• NIST SP 800-18 Guide for Developing Security Plans for Federal Information Systems (Feb. 2006)
• NIST SP 800-30 Guide for Conducting Risk Assessments (Sept. 2012)
• NIST SP 800-18 Guide for Applying the Risk Management Framework to Federal Information Systems (Feb. 2010)
• NIST SP 800-39 Managing Information Security Risk—Organization, Mission, and Information System View (Mar. 2011)
• NIST SP 800-60: Volume I Guide for Mapping Types of Information and Information Systems to Security Categories (Aug. 2008)
• NIST SP 800-60: Volume II Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories (Aug. 2008)