NIST Releases Privacy Engineering and Risk Management Guidance for Federal Agencies
Time 2 Minute Read

On January 4, 2017, the National Institute of Standards and Technology (“NIST”) announced the final release of NISTIR 8062, An Introduction to Privacy Engineering and Risk Management in Federal Systems. NISTIR 8062 describes the concept of applying systems engineering practices to privacy and sets forth a model for conducting privacy risk assessments on federal systems. According to the NIST, NISTIR 8062 “hardens the way we treat privacy, moving us one step closer to making privacy more science than art.”

The stated goals of NISTIR 8062 are to:

  • lay the groundwork for future guidance on how federal agencies will be able to incorporate privacy as an attribute of trustworthy systems through the management of privacy as a collaborative, interdisciplinary engineering practice;
  • introduce a set of consistent objectives for privacy engineering and a new model for assessing privacy risks in federal systems; and
  • provide a roadmap for evolving these preliminary concepts into actionable guidance, complementary to existing NIST guidance for information security risk management, so that agencies may more effectively meet their obligations under applicable federal privacy requirements and policies.

In its announcement, the NIST explains that the impetus for its work on privacy risk management came, in part, from the fact that there is an abundance of guidance on information security risk management but “no comparable body of work for privacy” and no “widely accepted models for doing the actual [risk] assessment.” As the NIST points out, high-level privacy principles, such as the Fair Information Practice Principles, “aren’t written in terms that system engineers can easily understand and apply.” NISTIR 8062 seeks to begin to close the gap between high-level privacy principles and practical privacy engineering and risk management.

The NIST’s announcement emphasizes that NISTIR 8062 is only an introduction to privacy engineering and risk management concepts. The NIST plans to refine its ideas and develop further guidance in the coming months and years.


Subscribe Arrow

Recent Posts




Jump to Page