a NIST blog
It’s been four years since the release of The NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, Version 1.0. Since then, many organizations have found it highly valuable for building or improving their privacy programs. We’ve also been able to add a variety of resources to support its implementation.
NIST Privacy Framework 1.1
The Privacy Framework is a “living” tool meant to evolve to meet stakeholder needs, and the time has come to update to Version 1.1. The initial version was modeled upon the CSF so that the two frameworks could be used together more easily. We want to maintain the connection by making appropriate adjustments based on CSF 2.0 changes. In addition, stakeholders have had a few years to use the Privacy Framework and have identified areas where targeted improvements can be made. This year, we intend to implement a modest update to the Privacy Framework to support realignment with CSF 2.0, facilitate ease and effectiveness of use, and ensure the tool is responsive to current privacy risk management needs.
Joint NIST Frameworks Profile for Data Governance
As noted above, we recognize that there is a desire for more support in using the NIST frameworks and resources together. In talking with stakeholders, we realized that data governance is the starting point for many organizations seeking to glean the benefits of data processing while managing privacy, cybersecurity, AI, and IoT risks. Then the light bulb went off that a joint Profile for data governance could be a way to effectively demonstrate complementary use of NIST frameworks and resources. This Profile could take many forms, such as a flow chart or a crosswalk among various NIST Framework Subcategories. We plan to leverage the Privacy Framework 1.1 update process to develop the Profile as many of the same stakeholders will be involved. Ultimately, we want to hear from you if you like this idea and what this resource should look like.
Next Steps
We hope you’ll contribute your expertise to these endeavors through the numerous opportunities to get involved as outlined in this milestone timeline:
Stay Up to Date
As our planning progresses, we will update the development schedule on our New Projects webpage with specific dates. Given that the Privacy Framework update and Data Governance Profile development coincide with the finalization of our Privacy Workforce Taxonomy, we intend to align all three workstreams where practicable.
Details on each stage in this process will be provided through a variety of channels:
We look forward to working with you this year! In the meantime, please let us know what you think about these new initiatives and how we should approach them by contacting us at privacyframework [at] nist.gov (privacyframework[at]nist[dot]gov).