What’s in the NIST Privacy Framework 1.1?

The National Institute of Standards and Technology (NIST) plans to update the Privacy Framework to Version 1.1. This announcement comes four years after the release of the original framework in January 2020.

Initially introduced as The NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, Version 1.0, the framework has been instrumental in enhancing the privacy programs of numerous organizations. However, in response to recent developments in information technology, including the release of NIST’s AI Risk Management Framework (AI RMF) and the initiation of an update to NIST’s Cybersecurity Framework (CSF) to Version 2.0, NIST seeks to bring the framework up to speed.

Dylan Gilbert, a privacy policy advisor with the Privacy Engineering Program at NIST, emphasized the framework’s dynamic nature, stating, “The Privacy Framework is a ‘living’ tool meant to evolve to meet stakeholder needs, and the time has come to update to Version 1.1.” He further highlighted the initial framework’s alignment with the CSF, aiming to maintain this connection by incorporating appropriate adjustments based on the changes introduced in CSF 2.0.

The adjustment of the NIST Privacy Framework in response to new frameworks like the NIST’s AI Risk Management Framework (AI RMF) and the update to the NIST Cybersecurity Framework (CSF) to Version 2.0 will likely focus on several key areas to ensure alignment, coherence, and effectiveness across these frameworks. Here’s how the NIST Privacy Framework may be adjusted, but keep in mind that nothing has been drafted yet.

Possible Changes in the Anticipated NIST Privacy Framework

• Integration of AI and Emerging Technologies Considerations

With the proliferation of artificial intelligence (AI) and other emerging technologies, the updated Privacy Framework may incorporate guidance and considerations for managing privacy risks associated with collecting, processing, and using personal data in AI systems. This integration could involve addressing issues such as data bias, algorithmic transparency, data protection in machine learning models, and the ethical use of AI.

• Enhanced Cybersecurity-Privacy Nexus

Given the interplay between cybersecurity and privacy, the NIST Privacy Framework update may strengthen its alignment with the NIST Cybersecurity Framework (CSF) Version 2.0. This alignment could involve harmonizing terminology, frameworks, and methodologies to facilitate the coordinated management of privacy and cybersecurity risks within organizations. Additionally, the updated Privacy Framework may guide on incorporating privacy considerations into cybersecurity risk management processes and vice versa.

• Data Governance and Risk Management

Recognizing the foundational role of data governance in privacy and cybersecurity, the updated Privacy Framework may emphasize data governance principles, practices, and controls. This could include guidance on establishing data governance frameworks, data lifecycle management, data minimization, data quality, and accountability mechanisms to support adequate privacy and cybersecurity risk management.

• Enhanced Stakeholder Engagement and Collaboration

The updated Privacy Framework may emphasize stakeholder engagement, collaboration, and transparency to address the evolving privacy landscape and stakeholder needs. This could involve soliciting feedback from diverse stakeholders, including privacy professionals, cybersecurity experts, policymakers, industry representatives, and civil society organizations, to ensure the framework remains relevant, practical, and responsive to emerging challenges and opportunities.

• Continuous Improvement and Adaptation

Like the NIST Cybersecurity Framework’s “living” approach, the updated Privacy Framework may adopt a constant improvement and adaptation mindset. This could involve regular reviews, updates, and revisions to reflect changes in technology, regulations, industry standards, and best practices related to privacy and data protection.

• Enhanced Support for NIST Frameworks Integration

Stakeholders need improved support in integrating NIST frameworks and resources, particularly in privacy, cybersecurity, AI, and the Internet of Things (IoT). Recognizing data governance as the cornerstone for organizations navigating the complexities of data utilization while mitigating associated risks, NIST plans to develop a Joint NIST Frameworks Data Governance Profile.

• Joining NIST Data Governance Framework

Through discussions with stakeholders, it became evident that a joint Profile for data governance could effectively demonstrate the complementary use of NIST frameworks and resources. NIST invites input from stakeholders regarding the proposed joint Profile and encourages suggestions on its structure and content. As plans progress, NIST plans to host workshops and release public drafts of Privacy Framework 1.1 and the Profile for further feedback and refinement. 

By consolidating insights and best practices across multiple frameworks, the joint Data Governance Profile will enable stakeholders to showcase their strategic alignment with NIST guidelines and standards.

The Relationship Between Cybersecurity and Privacy Risk

The relationship between cybersecurity and privacy risk is intrinsic and interconnected. Cybersecurity measures focus on safeguarding digital systems, networks, and data from unauthorized access, breaches, and cyber threats. These measures include implementing firewalls, encryption, access controls, and regular security updates.

On the other hand, privacy risk concerns protecting individuals’ data and ensuring compliance with privacy regulations. This involves managing data collection, processing, storage, and sharing practices to prevent unauthorized disclosure, misuse, or exploitation of personal information.

The overlap between cybersecurity and privacy risk lies in the fact that a breach in cybersecurity can directly lead to privacy violations. For example, if a hacker gains unauthorized access to a database containing sensitive personal information, it compromises the system’s security and exposes individuals’ privacy.

Moreover, many cybersecurity regulations and standards, such as GDPR and CCPA, include requirements related to privacy protection. These regulations mandate organizations to implement security measures to safeguard individuals’ data, thus intertwining cybersecurity and privacy concerns.

As we embark on these initiatives, the public is encouraged to contribute to shaping these frameworks and resources by emailing [email protected]. NIST remains committed to evolving alongside technological advancements and stakeholder needs, ensuring that our frameworks continue to serve as valuable tools in navigating the evolving landscape of privacy and cybersecurity.