Skip links

New Year, New Initiatives for the NIST Privacy Framework!

 It’s been four years since the release of The NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, Version 1.0. Since then, many organizations have found it highly valuable for building or improving their privacy programs. We’ve also been able to add a variety of resources to support its implementation.

PF Resources Pic

Credit: NIST

We’re proud of how much has been accomplished in just a few short years, but we’re not resting on our laurels. As another, more famous, Dylan once said, “the times they are a-changin’.” For example, the past year has seen the release of the NIST AI Risk Management Framework (AI RMF) and the start of an update to NIST Cybersecurity Framework (CSF), Version 2.0. In light of these and other developments in information technology, our stakeholders have expressed a desire for a Privacy Framework update as well as more help with how to use NIST frameworks and resources in privacy, cybersecurity, Artificial Intelligence (AI), and Internet of Things (IoT) together.

NIST Privacy Framework 1.1

The Privacy Framework is a “living” tool meant to evolve to meet stakeholder needs, and the time has come to update to Version 1.1. The initial version was modeled upon the CSF so that the two frameworks could be used together more easily. We want to maintain the connection by making appropriate adjustments based on CSF 2.0 changes. In addition, stakeholders have had a few years to use the Privacy Framework and have identified areas where targeted improvements can be made. This year, we intend to implement a modest update to the Privacy Framework to support realignment with CSF 2.0, facilitate ease and effectiveness of use, and ensure the tool is responsive to current privacy risk management needs.

Joint NIST Frameworks Profile for Data Governance

As noted above, we recognize that there is a desire for more support in using the NIST frameworks and resources together. In talking with stakeholders, we realized that data governance is the starting point for many organizations seeking to glean the benefits of data processing while managing privacy, cybersecurity, AI, and IoT risks. Then the light bulb went off that a joint Profile for data governance could be a way to effectively demonstrate complementary use of NIST frameworks and resources. This Profile could take many forms, such as a flow chart or a crosswalk among various NIST Framework Subcategories. We plan to leverage the Privacy Framework 1.1 update process to develop the Profile as many of the same stakeholders will be involved. Ultimately, we want to hear from you if you like this idea and what this resource should look like.

Next Steps

We hope you’ll contribute your expertise to these endeavors through the numerous opportunities to get involved as outlined in this milestone timeline:

PF 1.1 DG Profile

Credit: NIST

Stay Up to Date

As our planning progresses, we will update the development schedule on our New Projects webpage with specific dates. Given that the Privacy Framework update and Data Governance Profile development coincide with the finalization of our Privacy Workforce Taxonomy, we intend to align all three workstreams where practicable.

Details on each stage in this process will be provided through a variety of channels:

  • Email: As a starting point, be sure to sign up to our Privacy Framework email listserv by sending an email to privacyframework+subscribe [at] (privacyframework+subscribe[at]list[dot]nist[dot]gov)
  • Website: We will have a dedicated webpage on the main Privacy Framework website to serve as the central repository for all pertinent information and events relating to the Privacy Framework update process and Data Governance Profile development
  • Social Media: If you prefer to get updates via social media, be sure to follow NIST Cyber on LinkedIn and Facebook
  • Contact Us: Finally, you can always contact us with questions or comments at privacyframework [at] (privacyframework[at]nist[dot]gov)

We look forward to working with you this year! In the meantime, please let us know what you think about these new initiatives and how we should approach them by contacting us at privacyframework [at] (privacyframework[at]nist[dot]gov).