NIST Seeks Public Comments on Privacy Risk Management Framework for Federal Information Systems

By Renee Dopplick, ACM Director of Public Policy
July 20, 2015

The National Institute of Standards and Technology (NIST) is accepting public comments on a draft report, Privacy Risk Management for Federal Information Systems, which describes a privacy risk management framework for federal information systems. The document describes privacy engineering objectives and a privacy risk model. Comments are due by July 31.

Commentators are asked to provide input on:

  • Does the framework provide a process that will help organizations make more informed system development decisions with respect to privacy?

  • Does the framework seem likely to help bridge the communication gap between technical and non-technical personnel?

  • Do the privacy engineering objectives seem likely to assist system designers and engineers in building information systems that are capable of supporting agencies’ privacy goals and requirements?

  • Should context be a key input to the privacy risk model? If not, why not? If so, does this model incorporate context appropriately? Would more guidance on the consideration of context be helpful?

  • Does the equation to calculate the privacy risk of a data action seem likely to be effective in helping agencies to distinguish between cybersecurity and privacy risks? The equation of privacy risk is expressed as the product of two factors: the likelihood of a problematic data action multiplied by the impact of a problematic data action. Data actions are defined as “information system operations that process personal information.”

Read the report: Privacy Risk Management for Federal Information Systems