As part of an ongoing series of workshops on privacy engineering and risk management, NIST will host a public workshop on May 18th in Gaithersburg, Maryland. NIST is seeking feedback from stakeholders on how to incorporate privacy, for the first time, into the upcoming revision of NIST Special Publication 800-53A, Assessing Security and Privacy Controls in Federal Information Systems [PDF], the companion guidance for NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems. NIST is interested in learning about privacy practitioners’ current procedures for assessing privacy controls, lessons learned, and challenges in order to develop appropriate guidance.
Who should attend: System designers, security and privacy engineers, security and privacy officers, control assessors, and security and privacy subject matter experts should attend this interactive workshop. Public and private sector attendees and academics welcome.
CPE credits: The International Association of Privacy Professionals (IAPP) has approved up to 3.3 CPE credits for attending this workshop. To request credits from IAPP, please use this form.
Questions? Contact privacyeng [at] nist.gov (subject: , body: ) (privacyeng[at]nist[dot]gov)
This document provides context and questions for discussion at the workshop.
8:00: Registrant Check-in
NIST cafeteria is available to attendees.
9:00-9:15: Opening Remarks
9:15-10:00: Panel
Moderator: Ellen Nadeau | Privacy Risk Strategist, NIST
Panelists:
This panel will set the stage for the breakout sessions with a discussion of controls assessment. Learn about the purpose and objectives of NIST SP 800-53A. Hear from privacy practitioners on the procedures they have been using and where the challenges lie with assessing privacy controls.
10:00-11:10: Breakout Session #1: Control Assessment Methods
Topics of discussion for this breakout session will include current methods of assessing privacy controls, assessment challenges, and potential improvements to current assessment practices.
11:10-11:20: Break
NIST cafeteria is available to attendees.
11:20-12:30: Breakout Session #2: Skillsets and Automation
Topics of discussion for this breakout session will include skillsets for privacy control assessors, collaboration with security professionals, and the existing and potential use of automation tools.
12:30: Adjourn
Mr. Kevin Stine is the Chief of the Applied Cybersecurity Division in the National Institute of Standards and Technology’s Information Technology Laboratory. In this capacity, he leads NIST collaborations with industry, academia, and government on the practical implementation of cybersecurity and privacy through outreach and effective application of standards and best practices. The Applied Cybersecurity Division develops cybersecurity and privacy guidelines, tools, and reference architectures in diverse areas such as public safety communications; health information technology; smart grid, cyber physical, and industrial control systems; and programs focused on outreach to small businesses and federal agencies. The Division is home to several priority national programs including the National Cybersecurity Center of Excellence, the National Strategy for Trusted Identities in Cyberspace, and the National Initiative for Cybersecurity Education (NICE).
Naomi Lefkovitz is the Senior Privacy Policy Advisor in the Information Technology Lab at the National Institute of Standards and Technology, U.S. Department of Commerce. She leads the privacy engineering program, which focuses on developing privacy risk management processes and integrating solutions for protecting individuals’ privacy into information technologies, including digital identity services, IoT, smart cities, big data, mobile, and artificial intelligence. FierceGovernmentIT named Ms. Lefkovitz on their 2013 “Fierce15” list of the most forward-thinking people working within government information technology, and she is a 2014 and 2018 Federal 100 Awards winner.
Before joining NIST, she was the Director for Privacy and Civil Liberties in the Cybersecurity Directorate of the National Security Council in the Executive Office of the President. Her portfolio included the National Strategy for Trusted Identities in Cyberspace as well as addressing the privacy and civil liberties impact of the Obama Administration’s cybersecurity initiatives and programs. Prior to her tenure in the Obama Administration, Ms. Lefkovitz was a senior attorney with the Division of Privacy and Identity Protection at the Federal Trade Commission. Her responsibilities focused primarily on policy matters, including legislation, rulemakings, and business and consumer education in the areas of identity theft, data security and privacy. At the outset of her career, she was Assistant General Counsel at CDnow, Inc., an early online music retailer.
Ms. Lefkovitz holds a B.A. with honors in French Literature from Bryn Mawr College and a J.D. with honors from Temple University School of Law.
Ellen Nadeau is part of the Privacy Engineering Program at the National Institute of Standards and Technology (NIST), where she works to develop and pilot privacy risk management guidance and tools for organizations across sectors. She specializes in privacy-enhancing identity management solutions. Ellen received her Master’s of Public Administration from New York University, where she was a Scholar for Service at the NYU Center for Interdisciplinary Studies in Security and Privacy. Previously, Ellen worked at a digital rights nonprofit (Derechos Digitales) in Santiago, Chile, as a Google Policy Fellow, and with the National Center for Missing & Exploited Children in the Netsmartz Workshop.
Victoria Yan Pillitteri is a computer scientist in the Computer Security Division at the National Institute of Standards and Technology (NIST), where she leads a team of information security researchers to develop security risk management guidance and publications. Victoria also serves as co-chair of the Federal Computer Security Managers’ Forum. She previously worked on the Cybersecurity Framework, led the NIST Smart Grid and Cyber Physical Systems Cybersecurity Research Programs, and served on a detail in the office of the NIST Director as an IT policy advisor. She has co-authored a number of NIST Special Publications (SPs) and Interagency Reports (IRs) on information security, including: SP 800-12, 800-37, 800-53, 800-82, 800-171A, 1108 and IR 7628, and 8170. Victoria holds a B.S. in Electrical Engineering from the University of Maryland, a M.S in Computer Science, with a concentration in Information Assurance, from the George Washington University, and is a Certified Information Systems Security Professional (CISSP).
Lindsay Lennon Vogel
Lindsay Lennon Vogel is the Senior Director for Privacy Compliance at the Department of Homeland Security. Ms. Vogel oversees the privacy compliance process, including the development of privacy compliance policy, both at DHS Headquarters and the Components. As part of her role, Ms. Vogel coordinates closely to align DHS Privacy Office policy with the office of the DHS Chief Information Security Officer on issues related to the Federal Information Security Management Act.
Prior to joining the DHS Privacy Office in August 2013, Ms. Vogel served as a privacy analyst at U.S. Citizenship and Immigration Services (USCIS), specifically the Office of Transformation Coordination. At USCIS, Ms. Vogel was responsible for providing expert advice on issues related to privacy for a major IT system undergoing agile development.
Ms. Vogel received her bachelor’s degree from the George Washington University and her J.D. from George Mason University School of Law (now Antonin Scalia Law School at George Mason University).
NON U.S. CITIZENS PLEASE NOTE: All foreign national visitors who do not have permanent resident status and who wish to register for the above meeting must supply additional information. Failure to provide this information prior to arrival will result, at a minimum, in significant delays in entering the facility. Authority to gather this information is derived from United States Department of Commerce Department Administrative Order (DAO) number 207-12.
*New Visitor Access Requirement: Effective July 21, 2014, Under the REAL ID Act of 2005, agencies, including NIST, can only accept a state-issued driver’s license or identification card for access to federal facilities if issued by states that are REAL ID compliant or have an extension. As of Monday, January 30, 2017, Federal agencies will be prohibited from accepting driver’s licenses and identification cards from the following states for accessing federal facilities: Maine, Minnesota, Missouri, Montana and Washington. For further details, please visit our Campus Access and Security page.
Acceptable Photo Identification:
For Non-US Citizens: Valid passport for photo identification
For US Permanent Residents: Permanent Resident/Green card for photo identification