This post deserves the same reply as Moon's earlier post about the General Data Protection Regulation in Europe.
You do understand, of course, that the NIST's proposed "Security and Privacy Controls for Information Systems and Organizations" is about protecting people's individual data via removing personal identifiers ("data randomization"), encryption, etc., and it as nothing to do with data communication security.
A key paragraph from your cut and paste: "Individual privacy cannot be achieved solely through securing personally identifiable information," it notes. "Consequently, this publication contains controls designed to meet privacy requirements and to manage the privacy risks associated with an organizations’ creation, collection, use, processing, storage, maintenance, dissemination, disclosure, or disposal of personally identifiable information separate from security concerns."
It has absolutely nothing to do with VirnetX IP.