For purposes of the framework, the analysis defines privacy and civil liberties as “the ability of individuals to avoid harmful consequences to themselves arising from the use or exposure of information about themselves.”
To better address the issues moving forward, NIST provided several representative questions on the topic, including, “In addition to data security issues, what kinds of privacy and civil liberties issues arise out of cybersecurity practices?” as well as, “How do we quantify privacy and civil liberties risks arising out of cybersecurity practices?”
NIST’s analysis of the RFI, which resulted in nearly 250 comments, was published on May 15. The report lists “initial gaps” in the comments that were received, which it defines as “those areas where RFI responses were not sufficient to meet the goal of the executive order.” One of those gaps turned out to be “Privacy/Civil Liberties.” Though the report showed that 52 percent of public comments mentioned the topic, the comments did not substantively address the issue.
NIST is holding a series of four workshops to discuss and hammer out the details of the framework with industry leaders. (At press time, two of those workshops had already been conducted. The first workshop, which mostly set out the goals, was reported on in the May “Editor’s Note,” and some early analysis of written comments was reported on in the June “Homeland Security” department.)
Sedgewick says that the subsequent workshops are meant to be “in-depth working sessions around the country, where we’ve asked people to come in and roll up their sleeves and try to flesh out the responses we got, to make sure that we have the information we need at the end of this process for this framework.”
This give-and-take process is intended to allow privacy advocates and others to provide additional feedback. “Throughout the process you’ll see us kind of constantly popping back up and saying, ‘Okay this is what we heard, can you help us validate this, are there other gaps that we need to work to address?’” he says. “Privacy is obviously a key part…. We want to make sure that whatever is in the framework enhances privacy, and we think there are probably things we can talk about [regarding] how organizations can manage privacy, as well as security.”