RGalluzzo
commented
8 years ago rw2323, Thanks for the comments. As noted throughout the document, we do believe there are certain privacy considerations that need to be taken into account when using this metadata. That being said, this document is solely focused on identifying the metadata elements that could be used to increase confidence in asserted attribute values. How those attribute values and their associated metadata are stored, transmitted, and otherwise handled would be subject to the standards, requirements, or regulations applying to the environment in which they are being used. How best to address some of these more operational concepts is still being considered.
Organization: 2
Type: Overall comment on the type of data being collected and confidentiality
Reference (Include section and paragraph number): General
Comment (Include rationale for comment):
This standard appears to be adding some Personally Identifiable Information (PII) to documents. I did not see the mention of document: NIST SP800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information anywhere. http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf
In addition, due to the sensitivity of this information, there may be a requirement for encrypting the document. Again, no references appear that mention encrypting said documents.
Suggested Change: 1) Please add a paragraph that discusses PII and the NIST standard for protecting it. 2) Please add a discussion on appropriate methods for protecting the metadata. Add examples of what kind of metadata would require encryption.
Organization: 1 = Federal, 2 = Industry, 3 = Other