Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Summer homework: NIST welcomes comments until 7/31 on draft privacy risk management framework

Update: Deadline extended to 7/31 at 5:00 PM ET!

Earlier today, the privacy engineering team at NIST released its draft NIST Internal Report 8062, Privacy Risk Management for Federal Information Systems, and is seeking comments on that draft. This report introduces a privacy risk management framework (PRMF) for anticipating and addressing privacy risks that result from the processing of personal information in federal information technology systems. In particular, it focuses on three privacy engineering objectives—predictability, manageability, and disassociability—and a privacy risk model.

In developing the PRMF, the team also created a privacy risk assessment methodology (PRAM) to leverage this new framework (appendix D in the report). Thanks go to the NSTIC pilots who decided to use the PRAM to support their alignment with the NSTIC privacy-enhancing and voluntary guiding principle and provide feedback. This effort reflects the cooperative and open process we value so highly with our stakeholders.

The PRMF is modeled after the NIST Risk Management Framework for managing cybersecurity risk and is intended to be a repeatable and measurable tool for improving the understanding, prioritization, and mitigation of privacy risks in information systems. However, more work needs to be done. The privacy engineering team is considering, for future work, how to provide guidance on the selection of technical, policy, and operational controls to address specific privacy risks.

NIST is soliciting input on the report through an open comment period. All feedback is welcome; particularly on the several specific questions for reviewers, available here. Please send all comments to privacyeng [at] nist.gov (privacyeng[at]nist[dot]gov) by July 31, 2015, at 5:00pm ET using the comment matrix provided.

We see the release of this draft report as a critical step in the process of how to address privacy concerns in the Identity Ecosystem in a more meaningful and consistent way. The public comment process is critical to building the best product possible – so please share the draft report far and wide and share your thoughts on it with us!

About the author

Naomi Lefkovitz

Naomi Lefkovitz is the Senior Privacy Policy Advisor in the Information Technology Lab at the National Institute of Standards and Technology, U.S. Department of Commerce. Her portfolio includes work...

Related posts

Comments

Add new comment

CAPTCHA
Image CAPTCHA
Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.