As part of the implementation of the President’s Executive Order 13636 on cybersecurity, the National Institute for Standards and Technology (NIST) issued a Request for Information regarding development of a Framework to improve U.S. critical infrastructure cybersecurity. On April 8, The Constitution Project submitted comments to NIST recommending specific measures to incorporate privacy and civil liberties safeguards into government cybersecurity programs.
TCP noted in its comments that the Cybersecurity Framework being developed poses far fewer threats to privacy and civil liberties than would proposed cybersecurity legislation, because the Order does not, and cannot, create exemptions from existing privacy protective statutes. Nonetheless, TCP’s comments urge that the Framework should follow the Fair Information Practice Principles (FIPPs), widely recognized guidance for robust privacy safeguards. . In particular, TCP recommends that the Framework should promote overall data minimization, use limitations on private information, protections for data integrity, and accountability and auditing requirements.