2.3 INFORMATION SECURITY AND PRIVACY IN THE RMF

Executing the RMF requires close collaboration between information security programs and privacy programs. While information security programs and privacy programs have different objectives, those objectives are overlapping and complementary. Information security programs are responsible for protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction (i.e., unauthorized system activity or behavior) in order to provide confidentiality, integrity, and availability. Privacy programs are responsible for ensuring compliance with applicable privacy requirements and for managing the risks to individuals associated with the creation, collection, use, processing, dissemination, storage, maintenance, disclosure, or disposal (collectively referred to as “processing”) of PII.³⁰ When preparing to execute the steps of the RMF, organizations consider how to best promote and institutionalize collaboration between the two programs to ensure that the objectives of both disciplines are met at every step of the process.

³⁰ Privacy programs may also choose to consider the risks to individuals that may arise from their interactions with information systems, where the processing of PII may be less impactful than the effect the system has on individuals’ behavior or activities. Such effects would constitute risks to individual autonomy and organizations may need to take steps to manage those risks in addition to information security and privacy risks. ***

When an information system processes PII, the organization’s information security program and privacy program have a shared responsibility for managing the risks to individuals that may arise from unauthorized system activity or behavior. This requires the two programs to collaborate when selecting, implementing, assessing, and monitoring security controls.³¹ However, while information security programs and privacy programs have complementary objectives with respect to managing the confidentiality, integrity, and availability of PII, protecting individuals’ privacy cannot be achieved solely by securing PII.

Not all privacy risks arise from unauthorized system activity or behavior, such as unauthorized access or disclosure of PII. Some privacy risks may result from authorized activity that is beyond the scope of information security. For example, privacy programs are responsible for managing the risks to individuals that may result from the creation, collection, use, and retention of PII; the inadequate quality or integrity of PII; and the lack of appropriate notice, transparency, or participation. Therefore, to help ensure compliance with applicable privacy requirements and to manage privacy risks from authorized and unauthorized processing of PII, organizations’ privacy programs also select, implement, assess, and monitor privacy controls.³²

[OMB A-130] defines a privacy control as an administrative, technical, or physical safeguard employed within an agency to ensure compliance with applicable privacy requirements and to manage privacy risks. A privacy control is different from a security control, which the Circular defines as a safeguard or countermeasure prescribed for an information system or an organization to protect the confidentiality, integrity, and availability of the system and its information. Due to the shared responsibility that organizations’ information security programs and privacy programs have to manage the risks to individuals arising from unauthorized system activity or behavior, controls that achieve both security and privacy objectives are both privacy and security controls. This guideline refers to such controls that achieve both sets of objectives simply as “controls.” When this guideline uses the descriptors “privacy” and “security” with the term control, it is referring to those controls in circumstances where the controls are selected, implemented, and assessed for particular objectives.

The risk management processes described in this publication are equally applicable to security and privacy programs. However, the risks that security and privacy programs are required to manage are overlapping in some areas, but not in others. Consequently, it is important that organizations understand the interplay between privacy and security to promote effective collaboration between privacy and security officials at every level of the organization.

³¹ For example, in Task C-2 of the Categorize step, privacy and security programs work together to consider potential adverse impacts to organizational operations, organizational assets, individuals, other organizations, and the Nation resulting from the loss of confidentiality, integrity, or availability of PII in order to determine the impact level for the information system. The resulting impact level drives the selection of a security control baseline in Task S-1 of the Select step.

³² Different controls may need to be selected to mitigate the privacy risks associated with authorized processing of PII. For example, there may be a risk that individuals would be embarrassed or stigmatized if certain information is disclosed about them. While encryption could prevent unauthorized disclosure of PII, it would not address any privacy risks related to disclosures to parties that are authorized to decrypt and access the PII. To mitigate this privacy risk, organizations would need to assess the risk of allowing authorized parties to decrypt the information and potentially select controls that would mitigate that risk. In such an example, an organization might select controls to enable individuals to understand the organization’s disclosure practices and exercise choices about this access or use differential privacy or privacy-enhancing cryptographic techniques to disassociate the information from an individual.