Appendix J, Privacy Assessment Procedures, is a new addition to NIST Special Publication 800-53A. The appendix, when completed, will provide a complete set of assessment procedures for the privacy controls in NIST Special Publication 800-53, Appendix J. The new privacy control assessment procedures are under development and will be added to the appendix after a thorough public review and vetting process. The terminology throughout this publication has been updated to include references to privacy in all aspects of the assessment process to include mirroring the artifacts that are essential inputs to the current security authorization process. Each organization employing these guidelines has the flexibility to address the privacy assessment process and the integration of privacy-related artifacts into the organization’s risk management processes in the manner that best supports the organizational missions and business objectives consist with Office of Management and Budget policies.

Standardized assessment procedures for privacy controls provide a more disciplined and structured approach for determining compliance to federal privacy requirements and also promote more cost-effective methods to determine such compliance. There will be a strong similarity in the structure of the assessment procedures for privacy controls in Appendix J and the assessment procedures for security controls in Appendix F. This similarity will promote closer cooperation between privacy and security officials within the federal government to help achieve the objectives of senior leaders/executives in enforcing the requirements in federal privacy legislation, directives, policies, regulations, standards, and guidance.

Finally, it should be noted that as the assessment procedures for privacy controls are added to Appendix J, certain terminology traditionally associated with security controls and security control assessments contained in earlier versions of this publication is being modified where appropriate, to include references to privacy. However, there are some security-related terms (e.g., security categorization, security control baseline, tailored security control baseline) that are unique to security controls and do not have direct analogs in the privacy arena. In such cases, the equivalent privacy-related terminology has not been added to the publication. Privacy officials, at their discretion, may choose to adopt any or all of the security-related terms in this publication in support of privacy control assessments.