Privacy Risk Assessment of a DON Digital Contact Tracing System Using the NIST Privacy Framework
Abstract
COVID-19 has impacted the DONs readiness and ability to operate effectively, and this presents a potential security risk to the U.S. population. In order to allow employees to return to their normal working routines and prevent the spread of COVID-19, the DON began to procure and test a Bluetooth-based contact tracing system in 2020. This research explores the privacy considerations of a digital contact tracing system that was being procured by the DON, and it does so by applying the National Institute of Standards and Technology (NIST) Privacy Framework which was released in January 2020. We are not only able to provide recommendations about the privacy of the contact tracing system, but we are also able to assess the privacy framework as a privacy risk management tool. We provide a privacy threat model of the system by analyzing the data path of the contact tracing system. We also apply the NIST Privacy Framework to our model of the system, and we determine that the framework is useful for risk identification but does very little to contribute to assessing the impact or likelihood of privacy risks. The threat modeling also reveals that the DON needs to focus more on disassociability of data sets when considering the privacy risks of the contact tracing system, and we recommend that the DON begin conducting privacy testing on systems that collect PII. Finally, we recommend combining the NIST Cybersecurity and Privacy Frameworks in order to streamline the assessment process.
Document Details
- Document Type
- Technical Report
- Publication Date
- Jun 01, 2021
- Accession Number
- AD1150893
Entities
People
- Thomas E. Carter
Organizations
- Naval Postgraduate School