The National Institute of Standards and Technology (NIST) has issued its latest version of “Security and Privacy Controls for Federal Information Systems and Organizations”1 (the “Guidelines”). These Guidelines, issued and updated from time to time, contain a number of privacy and security controls designed to protect information, and set out a process for selecting controls to protect against a host of threats to information security, including cyber attacks, natural disasters, structural failures, and human errors.

The Guidelines are a valuable security and privacy resource for every business. While designed for use by organizations and systems within the Federal government (and by extension those organizations who do business with the Federal government), the Guidelines may be considered “best practices” for businesses seeking to implement and maintain adequate and appropriate security and privacy controls. As stated in the Guidelines:

The specialization of security plans using the tailoring guidance and overlays, together with a robust set of technology- and policy-neutral security controls, promotes cost-effective, risk-based information security for organizations -in any sector, for any technology, and in any operating environment.

Accordingly, the Guidelines will be useful for general counsel, chief compliance officers, IT departments, and other business units tasked with protecting information. An addition to this version of the Guidelines may be of particular interest to those organizations managing Personally Identifiable Information (PII) and seeking to comply with various (and evolving) statutory and regulatory privacy frameworks. Appendix J, “Privacy Control Catalog,” is “intended to address the privacy needs of federal agencies.” The privacy controls contained in the Guidelines are based on “best practices” and “help organizations comply with applicable federal laws, Executive Orders, directives, instructions, regulations, policies, standards, guidance, and organization-specific issuances.” These security and privacy controls:

  • Are customizable and to be implemented as part of an organization-wide process to manage information security and privacy risk;
  • Address diverse security requirements across the federal government and critical infrastructure, as drawn from legislation, Executive Orders, policies, directives, regulations, standards, and/or business needs;
  • Describe how to develop specialized sets of controls (referred to as “overlays”), tailored for specific business functions, technologies, or operating environments, including cloud computing and mobile devices;
  • Address security from both a functionality perspective (the strength of the security) and an assurance perspective (confidence in security capabilities).

Significantly, these security controls are largely designed to be “policy- and technology-neutral,” in order to prevent the technology “tail” from wagging the security control “dog.”