Book a Demo

What’s in the NIST Privacy Framework 1.1?

Avigail Politzer

  • Published on: July 26, 2025
  • Updated on: July 27, 2025

Key Takeaways

  • Final release is expected by late 2025 or early 2026.
  • The framework will stay structurally aligned with Version 1.0.
  • New draft focuses on AI risks, data lifecycle, and accountability.
  • It introduces stronger alignment with CSF 2.0 and AI RMF 1.0.
  • A Joint Data Governance Profile is being developed alongside it.

Where Does NIST Privacy Framework 1.1 Stand in Mid-2025?

As of July 2025, stakeholders are still awaiting the official release of NIST Privacy Framework 1.1. However, the public draft is expected soon, following a series of workshops and stakeholder engagements held throughout the first half of the year. The draft reflects an increasing urgency around harmonizing privacy, cybersecurity, and AI governance, as organizations grapple with the overlapping pressures of regulatory complexity, evolving data practices, and accelerating AI adoption.

Several key signals from NIST’s recent communications and working group summaries point to the following in-progress developments:

  • The Data Governance Profile has taken center stage, with NIST emphasizing its role as a connector across various frameworks. This profile is expected to provide practical mappings across the NIST Privacy Framework, Cybersecurity Framework 2.0, and AI Risk Management Framework, offering organizations a tangible way to operationalize data controls.
  • A growing emphasis on organizational accountability, with draft language suggesting stronger guidance on how to assign roles, track responsibility, and document decisions across data lifecycles, not just technical safeguards.
  • Preparations for regulatory alignment, including potential references to global frameworks such as the EU AI Act and evolving U.S. state privacy laws. While NIST is not a regulatory body, Version 1.1 is expected to help bridge operational gaps between voluntary guidance and binding obligations.

NIST has reiterated that Version 1.1 will maintain the core structure of Version 1.0. This means organizations already aligned with the current framework will not need to start from scratch. Instead, the update is designed to be additive, improving clarity, usability, and applicability to today’s risk landscape.

Stay tuned: The draft is likely to be released for public comment by Q3 2025, with final publication targeted for late 2025 or early 2026. Organizations are encouraged to prepare by reviewing the current framework alongside the finalized NIST CSF 2.0 and AI RMF 1.0, and exploring early drafts of the Joint Data Governance Profile, if available.

Background to the NIST Privacy Framework

The National Institute of Standards and Technology (NIST) plans to update the Privacy Framework to Version 1.1. This announcement comes four years after the release of the original framework in January 2020.

Initially introduced as The NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, Version 1.0, the framework has been instrumental in enhancing the privacy programs of numerous organizations. However, in response to recent developments in information technology, including the release of NIST’s AI Risk Management Framework (AI RMF) and the initiation of an update to NIST’s Cybersecurity Framework (CSF) to Version 2.0, NIST seeks to bring the framework up to speed.

Dylan Gilbert, a privacy policy advisor with the Privacy Engineering Program at NIST, emphasized the framework’s dynamic nature, stating, “The Privacy Framework is a ‘living’ tool meant to evolve to meet stakeholder needs, and the time has come to update to Version 1.1.” He further highlighted the initial framework’s alignment with the CSF, aiming to maintain this connection by incorporating appropriate adjustments based on the changes introduced in CSF 2.0.

The adjustment of the NIST Privacy Framework in response to new frameworks like the NIST’s AI Risk Management Framework (AI RMF) and the update to the NIST Cybersecurity Framework (CSF) to Version 2.0 will likely focus on several key areas to ensure alignment, coherence, and effectiveness across these frameworks. Here’s how the NIST Privacy Framework may be adjusted, but keep in mind that nothing has been drafted yet.

nist privacy framework 1.1

Possible Changes in the Anticipated NIST Privacy Framework

  • Integration of AI and Emerging Technologies Considerations

With the proliferation of artificial intelligence (AI) and other emerging technologies, the updated Privacy Framework may incorporate guidance and considerations for managing privacy risks associated with collecting, processing, and using personal data in AI systems. This integration could involve addressing issues such as data bias, algorithmic transparency, data protection in machine learning models, and the ethical use of AI.

  • Enhanced Cybersecurity-Privacy Nexus

Given the interplay between cybersecurity and privacy, the NIST Privacy Framework update may strengthen its alignment with the NIST Cybersecurity Framework (CSF) Version 2.0. This alignment could involve harmonizing terminology, frameworks, and methodologies to facilitate the coordinated management of privacy and cybersecurity risks within organizations. Additionally, the updated Privacy Framework may guide on incorporating privacy considerations into cybersecurity risk management processes and vice versa.

  • Data Governance and Risk Management

Recognizing the foundational role of data governance in privacy and cybersecurity, the updated Privacy Framework may emphasize data governance principles, practices, and controls. This could include guidance on establishing data governance frameworks, data lifecycle management, data minimization, data quality, and accountability mechanisms to support adequate privacy and cybersecurity risk management.

  • Enhanced Stakeholder Engagement and Collaboration

The updated Privacy Framework may emphasize stakeholder engagement, collaboration, and transparency to address the evolving privacy landscape and stakeholder needs. This could involve soliciting feedback from diverse stakeholders, including privacy professionals, cybersecurity experts, policymakers, industry representatives, and civil society organizations, to ensure the framework remains relevant, practical, and responsive to emerging challenges and opportunities.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Start Free Trial Now
Start Free Trial Now
Learn more about how to be compliant with NIST Privacy Framework 1.1
  • Continuous Improvement and Adaptation

Like the NIST Cybersecurity Framework’s “living” approach, the updated Privacy Framework may adopt a constant improvement and adaptation mindset. This could involve regular reviews, updates, and revisions to reflect changes in technology, regulations, industry standards, and best practices related to privacy and data protection.

  • Enhanced Support for NIST Frameworks Integration

Stakeholders need improved support in integrating NIST frameworks and resources, particularly in privacy, cybersecurity, AI, and the Internet of Things (IoT). Recognizing data governance as the cornerstone for organizations navigating the complexities of data utilization while mitigating associated risks, NIST plans to develop a Joint NIST Frameworks Data Governance Profile.

  • Joining NIST Data Governance Framework

Through discussions with stakeholders, it became evident that a joint Profile for data governance could effectively demonstrate the complementary use of NIST frameworks and resources. NIST invites input from stakeholders regarding the proposed joint Profile and encourages suggestions on its structure and content. As plans progress, NIST plans to host workshops and release public drafts of Privacy Framework 1.1 and the Profile for further feedback and refinement. 

By consolidating insights and best practices across multiple frameworks, the joint Data Governance Profile will enable stakeholders to showcase their strategic alignment with NIST guidelines and standards.

The Relationship Between Cybersecurity and Privacy Risk

The relationship between cybersecurity and privacy risk is intrinsic and interconnected. Cybersecurity measures focus on safeguarding digital systems, networks, and data from unauthorized access, breaches, and cyber threats. These measures include implementing firewalls, encryption, access controls, and regular security updates.

On the other hand, privacy risk concerns protecting individuals’ data and ensuring compliance with privacy regulations. This involves managing data collection, processing, storage, and sharing practices to prevent unauthorized disclosure, misuse, or exploitation of personal information.

The overlap between cybersecurity and privacy risk lies in the fact that a breach in cybersecurity can directly lead to privacy violations. For example, if a hacker gains unauthorized access to a database containing sensitive personal information, it compromises the system’s security and exposes individuals’ privacy.

Moreover, many cybersecurity regulations and standards, such as GDPR and CCPA, include requirements related to privacy protection. These regulations mandate organizations to implement security measures to safeguard individuals’ data, thus intertwining cybersecurity and privacy concerns.

As we embark on these initiatives, the public is encouraged to contribute to shaping these frameworks and resources by emailing [email protected]. NIST remains committed to evolving alongside technological advancements and stakeholder needs, ensuring that our frameworks continue to serve as valuable tools in navigating the evolving landscape of privacy and cybersecurity.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Start Free Trial Now
Start Free Trial Now
Learn more about how to be compliant with NIST Privacy Framework 1.1

FAQs

1. Will NIST include implementation examples?

NIST is considering whether to add practical examples that connect workforce tasks to the updated Core functions. These examples will help organizations better understand how to implement the framework, particularly for teams that require more concrete guidance on roles and responsibilities.

2. Should Subcategory ID gaps be renumbered?

Some Subcategory identifiers in the draft are no longer sequential, due to changes that removed or shifted certain items. NIST is asking whether to leave these gaps as they are, in order to preserve continuity with Version 1.0, or to renumber them for a cleaner, easier-to-follow structure.

3. Should more content be moved online?

Section 3 of the framework has already been transitioned to a web-based format. NIST is now exploring whether other parts of the framework, like appendices and user guides, should also move online to improve usability and support interactive learning.

4. Does the draft align well with CSF 2.0?

A major goal of this update is to better align the Privacy Framework with the Cybersecurity Framework 2.0. The draft reflects shared structure and language, but NIST is still collecting feedback on how well the two frameworks work together in practice.

All Resources

Related Content

How Much Does a DORA Certification Cost?
Blog

How Much Does a DORA Certification Cost?

CCPA Compliance Checklist for 2026: What You Need to Know
Blog

CCPA Compliance Checklist for 2026: What You Need to Know

The Key Principles of Corporate Governance
Blog

The Key Principles of Corporate Governance

Partner Login

Try the Centraleyes
Risk & Compliance

Free for 30 Days

Skip to content