National Institute of Standards and Technology (NIST)

The National Institute of Standards and Technology (NIST) was founded in 1901 and is now part of the US Department of Commerce. Congress established the agency to help improve US industrial competitiveness. From the smart electric power grid and electronic health records to atomic clocks, advanced nanomaterials, and computer chips, innumerable products and services rely in some way on technology, measurement, and standards provided by the National Institute of Standards and Technology.

The NIST Information Technology Laboratory (ITL) engages in privacy-related research through its Information Technology Laboratory and its Privacy Engineering program. Other privacy-related research is integrated in other NIST programs, including cryptography, trusted identities, usability, and information assurance.

Which NIST guidance is most relevant to privacy?

NIST provides standards and guidelines to Federal agencies for various purposes including supporting agencies’ ability to meet their regulatory obligations and governing policy. The following guidance might be of particular interest to those managing privacy programs:

Which NIST guidance is specific to privacy risk management?

In support of OMB Circular A-130, NIST is working to augment existing NIST guidance on the Risk Management Framework (RMF) to specifically address privacy risk management.

In the short-term, privacy programs may want to review the following Special Publications for RMF standards and guidelines:

  • NIST SP 800-18 Guide for Developing Security Plans for Federal Information Systems (Feb. 2006)
  • NIST SP 800-30 Guide for Conducting Risk Assessments (Sept. 2012)
  • NIST SP 800-18 Guide for Applying the Risk Management Framework to Federal Information Systems (Feb. 2010)
  • NIST SP 800-39 Managing Information Security Risk—Organization, Mission, and Information System View (Mar. 2011)
  • NIST SP 800-60: Volume I Guide for Mapping Types of Information and Information Systems to Security Categories (Aug. 2008)
  • NIST SP 800-60: Volume II Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories (Aug. 2008)