NIST has revised the draft cybersecurity framework that it released in August. What it published today is a “preliminary cybersecurity framework.” After comments, a final framework will be released in February.
I’ve been very critical of the draft released in August. NIST clearly worked to address the criticisms.
The result is a mixed bag, but the document is still a net loss for security.
What’s improved? First, in an effort to introduce flexibility into the document, NIST deleted all the “should” language from the privacy standards.
Second, it added a paragraph that asserts the “flexibility” that organizations have to implement the privacy provisions:
Appendix B contains a methodology to protect privacy and civil liberties for a cybersecurity program as required under the Executive Order. Organizations may already have processes for addressing privacy risks such as a process for conducting privacy impact assessments. The privacy methodology is designed to complement such processes by highlighting privacy considerations and risks that organizations should be aware of when using cybersecurity measures or controls. As organizations review and select relevant categories from the Framework Core, they should review the corresponding category section in the privacy methodology. These considerations provide organizations with flexibility in determining how to manage privacy risk.
Third, NIST responded to my concern that the “governance” section of the appendix would smuggle into the rules governing private companies all of the fair information practice principles, or FIPPs, that govern federal agencies. NIST narrowed the scope of the governance section by tying it to the actual PII being used for cybersecurity. See the bold language below.
Old version: Organizations should identify policies and procedures that address privacy or PII management practices. Organizations should assess whether or under which circumstances such policies and procedures : [followed by a list of FIPPs, many with dubious relationship to cybersecurity]
New version: Identify policies and procedures that address privacy or PII management practices for the PII identified under the Assets category. In connection with the organization’s cybersecurity procedures, assess whether or under which circumstances such policies and procedures: [followed by the same list]
That’s a substantial improvement.
What’s wrong with the new version? Well, the first change, dropping the “should”s, is well-intended but largely cosmetic. In fact, it arguably makes the rules harsher, not more flexible. That’s because, instead of telling companies what they “should” do to protect privacy, the appendix now just commands them to do those things. You can see that in the example above. Also in this one:
Old version: “When performing forensics, organizations should only retain PII that is relevant to the investigation.”
New version: “When performing forensics, only retain PII or communications content that is necessary to the investigation.”
(As an aside, note the other change in the new version, which is pretty clearly the result of privacy groups’ comments. It tells companies to protect communications content, not just PII. But that change is only needed if the companies are sharing content that can’t be traced to a person. So it seems to mean that companies who share information about spam should minimize the amount of spam they quote when trying to tell other companies which messages to block. That’s dumb. More broadly, why should such a mandate be added to a standard that insists that it’s about PII?)
That brings me to my biggest concern. Despite NIST’s claim that it has left companies lots of flexibility, you can’t really find flexibility in the language of the privacy appendix. So I continue to fear that the net result of the package will be to impose a “privacy tax” on cybersecurity, adding to the cost of security measures by tying those measures to expensive privacy obligations whose value is unproven. For example:
Old: “When voluntarily sharing information about cybersecurity incidents, organizations should ensure that only PII that is relevant to the incidents is disclosed.”
New: “When voluntarily sharing information about cybersecurity incidents, limit disclosure of PII or communications content to that which is necessary to describe or mitigate the incident”
The new language is slightly less demanding, but it still calls on companies that share information about malware and intrusions to make determinations about which information is “necessary” to describe or mitigate the incident. If the company guesses wrong about a couple of bits of information, and someone later decides that those bits weren’t strictly necessary to mitigate the incident, then the standard has been violated and liability is much more likely. At a minimum, lawyers have to review every category of data that is being shared and write rules for when it is necessary and when it isn’t. It takes heroic ignorance to believe that a requirement like that won’t reduce the sharing that’s already occurring, even among private enterprises.
Finally, NIST took a further step that has heightened my concern that this appendix is going to impose the FIPPs on the entire US private sector. That’s because the only “reference” standard offered by NIST to explain and implement the appendix is a document that is plainly written for government agencies trying to implement federal privacy standards. In the absence of any other reference, the pressure will be great to follow the government rules.
So, to return to the example above, suppose you’re a company that wants to implement privacy-compliant information sharing. You consult the “reference” standard, and here’s what you’re told:
MINIMIZATION OF PERSONALLY IDENTIFIABLE INFORMATION
Control: The organization:
a. Identifies the minimum personally identifiable information (PII) elements that are relevant and necessary to accomplish the legally authorized purpose of collection;
b. Limits the collection and retention of PII to the minimum elements identified for the purposes described in the notice and for which the individual has provided consent; and
c. Conducts an initial evaluation of PII holdings and establishes and follows a schedule for regularly reviewing those holdings [Assignment: organization-defined frequency, at least annually] to ensure that only PII identified in the notice is collected and retained, and that the PII continues to be necessary to accomplish the legally authorized purpose.
Supplemental Guidance: Organizations take appropriate steps to ensure that the collection of PII is consistent with a purpose authorized by law or regulation. The minimum set of PII elements required to support a specific organization business process may be a subset of the PII the organization is authorized to collect. Program officials consult with the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) and legal counsel to identify the minimum PII elements required by the information system or activity to accomplish the legally authorized purpose.
Organizations can further reduce their privacy and security risks by also reducing their inventory of PII, where appropriate. OMB Memorandum 07-16 requires organizations to conduct both an initial review and subsequent reviews of their holdings of all PII and ensure, to the maximum extent practicable, that such holdings are accurate, relevant, timely, and complete. Organizations are also directed by OMB to reduce their holdings to the minimum necessary for the proper performance of a documented organizational business purpose. OMB Memorandum 07-16 requires organizations to develop and publicize, either through a notice in the Federal Register oron their websites, a schedule for periodic reviews of their holdings to supplement the initial review. Organizations coordinate with their federal records officers to ensure that reductions in organizational holdings of PII are consistent with NARA retention schedules. By performing periodic evaluations, organizations reduce risk, ensure that they are collecting onlythe data specified in the notice, and ensure that the data collected is still relevant and necessary for the purpose(s) specified in the notice. Related controls: AP-1, AP-2, AR-4, IP-1, SE-1, SI-12, TR- 1.
(1) MINIMIZATION OF PERSONALLY IDENTIFIABLE INFORMATION | LOCATE / REMOVE / REDACT / ANONYMIZE PII
The organization, where feasible and within the limits of technology, locates and removes/redacts specified PII and/or uses anonymization and de-identification techniques to permit use of the retained information while reducing its sensitivity and reducing the risk resulting from disclosure.
Supplemental Guidance: NIST Special Publication 800-122 provides guidance on anonymization.
None of this is good for quick and easy cybersecurity information sharing. It seems to suggest that each sharing company has to evaluate its cybersecurity data and minimize, perhaps even anonymize, the data it keeps and to get rid of anything it isn’t sure it needs. The data will have to be scrubbed for accuracy and completeness. To make that decision, the guidance creates a committee that includes not just the lawyers but top officials and a privacy officer, further clogging and bureaucratizing what should be an instantaneous exchange of threat data. This raises the cost of information sharing, which is what you do only if you want less of something.