Update: Deadline extended to 7/31 at 5:00 PM ET!
Earlier today, the privacy engineering team at NIST released its draft NIST Internal Report 8062, Privacy Risk Management for Federal Information Systems, and is seeking comments on that draft. This report introduces a privacy risk management framework (PRMF) for anticipating and addressing privacy risks that result from the processing of personal information in federal information technology systems. In particular, it focuses on three privacy engineering objectives—predictability, manageability, and disassociability—and a privacy risk model.
In developing the PRMF, the team also created a privacy risk assessment methodology (PRAM) to leverage this new framework (appendix D in the report). Thanks go to the NSTIC pilots who decided to use the PRAM to support their alignment with the NSTIC privacy-enhancing and voluntary guiding principle and provide feedback. This effort reflects the cooperative and open process we value so highly with our stakeholders.
The PRMF is modeled after the NIST Risk Management Framework for managing cybersecurity risk and is intended to be a repeatable and measurable tool for improving the understanding, prioritization, and mitigation of privacy risks in information systems. However, more work needs to be done. The privacy engineering team is considering, for future work, how to provide guidance on the selection of technical, policy, and operational controls to address specific privacy risks.
NIST is soliciting input on the report through an open comment period. All feedback is welcome; particularly on the several specific questions for reviewers, available here. Please send all comments to privacyeng [at] nist.gov (privacyeng[at]nist[dot]gov) by July 31, 2015, at 5:00pm ET using the comment matrix provided.
We see the release of this draft report as a critical step in the process of how to address privacy concerns in the Identity Ecosystem in a more meaningful and consistent way. The public comment process is critical to building the best product possible – so please share the draft report far and wide and share your thoughts on it with us!