NIST Security Draft Promises New Privacy Standards for US Federal Agencies

The US National Institute of Standards and Technology (NIST) has drafted a new set of privacy standards that US federal agencies will have to abide by when implementing new interconnected systems related to the internet-of-things (IoT).

The draft, entitled “Security and Privacy Controls for Information Systems and Organizations”, addresses the security and privacy concerns expressed by the US”s Task Force on Cyber Defense, which stated that the risks of interconnecting new devices to critical infrastructure should not be taken lightly. The draft focuses on privacy and new technologies and products, emphasizing the need for stricter integration of controls and regulations not just for federal agencies, but for other organizations as well.

“Individual privacy cannot be achieved solely through securing personally identifiable information,” reads the draft. “Consequently, this publication contains controls designed to meet privacy requirements and to manage the privacy risks associated with an organizations” creation, collection, use, processing, storage, maintenance, dissemination, disclosure, or disposal of personally identifiable information separate from security concerns.”

While the document mainly focuses on federal institutions, recommending how privacy and security controls should be put in place when integrating new technologies, it also touches on personally identifiable information (PII) and how consumers should be warned regarding the data being collected. Somewhat similar to the European Union”s General Data Protection Regulation (GDPR), the NIST draft also states that users should be given clear, concise information about what PII is collected from them.

“To help users understand the risks being accepted when providing consent, organizations write materials in plain language and avoid technical jargon,” reads the NIST draft. “When developing or purchasing consent tools, organizations consider the application of good information design procedures in all user-facing consent materials; use of active voice and conversational style; logical sequencing of main points; consistent use of the same word (rather than synonyms) to avoid confusion; the use of bullets, numbers, and formatting where appropriate to aid readability; and legibility of text, such as font style, size, color, and contrast with surrounding background.”

A final draft of the documented is expected in October. If approved, it will significantly impact US infrastructures and the way new technologies are integrated from both a security and privacy perspective.