NIST Turns FIPPS into Concrete Privacy Objectives and Risk Model for Federal Agencies

Geared towards information systems engineers, the National Institute of Standards and Technology (NIST) Internal Report (NISTIR) 8062 addresses privacy and risk management for federal agencies in a digestible way. NIST’s goal was to bring the high-level amorphous Fair Information Practice Principles (FIPPS) into focus and provide implementation guidance for those in federal agencies tasked with operationalizing privacy.

The publication introduces three privacy objectives for the systems engineer: (1) predictability, (2) manageability, and (3) disassociability. The objectives are what is needed to demonstrate proper implementation of the federal agency’s privacy policy and system privacy requirements. All systems should exhibit the three objectives. The objectives are intended supplement the FIPPs and to add a level of precision and increase measurability of system engineering success.

(Source NISTIR 8602)

Also in promotion of the concept of developing repeatable methods, NISTIR 8062 introduces a privacy risk model to help agencies perform appropriate risk assessments consistently. NISTIR 8062 thus provides a practical implementation guidance for the risk assessment requirements of the E-Government Act of 2002 and requirements of the July 2016 Office of Management and Budget (OMB) update to Circular No. A-130.

The NISTIR 8062 defines key risk concepts for the new model, which is critical for repeatability and consistency. Costs associated with particular risks are also provided to help account for all impacts in a risk assessment. Common privacy risk factors are to be determined by the vulnerability to, likelihood of, and impact of problematic data actions, which are defined as a data action that causes an adverse effect, or problem, for individuals. It is within this set of definitions and concepts provided by NISTIR 8062 that system engineers in federal agencies can incorporate privacy.

NISTIR 8062 is notable for its source of common definitions from which system engineers can act to conduct risk assessments on federal agency systems. It does an admirable job of turning privacy principles into actionable metrics for privacy risk management and assessment. As NIST states, though, NISTIR 8062 is merely an introduction and first step towards turning the FIPPS into actionable concrete and repeatable action items. It does not have all of the answers, but it is a solid step in the right direction.