Does NIST’s draft Privacy Framework pave the way for better agency tech?
Some federal and industry officials say the National Institute of Standards and Technology’s forthcoming Privacy Framework will help businesses develop better software and hardware for agencies.
NIST released a preliminary draft of the framework last week for public comment through Oct. 24 and wants to have version 1.0 published by the end of 2019.
The document is a response to the General Data Protection Regulation taking effect in the European Union and the high-profile Cambridge Analytica privacy incident, as well as IBM’s call for a framework similar to the one NIST developed for cybersecurity.
“One benefit we feel is that this can really help organizations build customer trust by being able to engage in more ethical decision-making around how to optimize beneficial uses of data while minimizing harm to individuals,” Naomi Lefkovitz, framework lead in NIST’s Information Technology Lab, told FedScoop.
And agencies are often the customers using products and services while hoping their vendors are managing everyone’s privacy risks, Lefkovitz added.
The framework refers to this interdependence as the “data processing ecosystem.”
“An organization should use the Privacy Framework from its standpoint in the data processing ecosystem and consider how to manage privacy risk not only with regard to its internal priorities, but also in relation to how they affect other parties’ management of privacy risk,” reads the document.
Like NIST’s cyber framework, the privacy framework creates a common lexicon around ambiguous terms like “data protection,” said Joseph Stuntz, director of federal at the digital privacy company Virtru.
Ideally, the document will bridge the divide between privacy practitioners in government, focused on the legal approach, and developers building systems maintaining privacy, Stuntz said.
“With the data breaches that are well known, and in the public sphere, there’s an appetite for greater clarity if we’re not going to get federal privacy legislation from Congress,” he said.
Privacy is often thought of as an impediment to product development, but the preliminary draft of the framework would enable companies to embed standards into future tech development, said Travis Jarae, CEO of the digital privacy consultancy One World Identity.
Jarae said he still wants to see more involvement from the “big tech players” to understand what they think of the framework.
“Striking a balance between the public and private sector has been challenging historically; it’s a showstopper, but the government has really stepped up and made it easier for big and small companies to work with them,” he said. “I am extremely bullish on innovation in the area of digital identity and privacy with government agencies going forward.”
In keeping with the cyber framework, the privacy framework is a “voluntary tool” with wide applications, Lefkovitz said.
The organizations using the framework will not only be developing products and services for agencies but also individuals or businesses, she added.
Sector-specific organizations and best practice groups in areas like tech, health care, defense and marketing should have leeway to tailor the framework to their customer bases and privacy threats, Stuntz said.
While NIST has been clear the framework isn’t a checklist, and organizations won’t be audited based off it, Stuntz said he expects pushback from groups worried it might be turned into a “compliance regime.”
“NIST has to walk a very fine line on this,” he said.
Ari Schwartz, managing director of cybersecurity services at Venable, said he believes policies will be enacted down the road requiring contractors of companies to use the framework.
“You know that going into the creation of it. It is a risk management framework though; it’s not a compliance document,” Schwartz said. “You don’t have to do all of it; you use it to prioritize.”
