Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

New Year, New Initiatives for the NIST Privacy Framework!

 It’s been four years since the release of The NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, Version 1.0. Since then, many organizations have found it highly valuable for building or improving their privacy programs. We’ve also been able to add a variety of resources to support its implementation.

PF Resources Pic
Credit: NIST
We’re proud of how much has been accomplished in just a few short years, but we’re not resting on our laurels. As another, more famous, Dylan once said, “the times they are a-changin’.” For example, the past year has seen the release of the NIST AI Risk Management Framework (AI RMF) and the start of an update to NIST Cybersecurity Framework (CSF), Version 2.0. In light of these and other developments in information technology, our stakeholders have expressed a desire for a Privacy Framework update as well as more help with how to use NIST frameworks and resources in privacy, cybersecurity, Artificial Intelligence (AI), and Internet of Things (IoT) together.

NIST Privacy Framework 1.1

The Privacy Framework is a “living” tool meant to evolve to meet stakeholder needs, and the time has come to update to Version 1.1. The initial version was modeled upon the CSF so that the two frameworks could be used together more easily. We want to maintain the connection by making appropriate adjustments based on CSF 2.0 changes. In addition, stakeholders have had a few years to use the Privacy Framework and have identified areas where targeted improvements can be made. This year, we intend to implement a modest update to the Privacy Framework to support realignment with CSF 2.0, facilitate ease and effectiveness of use, and ensure the tool is responsive to current privacy risk management needs.

Joint NIST Frameworks Profile for Data Governance

As noted above, we recognize that there is a desire for more support in using the NIST frameworks and resources together. In talking with stakeholders, we realized that data governance is the starting point for many organizations seeking to glean the benefits of data processing while managing privacy, cybersecurity, AI, and IoT risks. Then the light bulb went off that a joint Profile for data governance could be a way to effectively demonstrate complementary use of NIST frameworks and resources. This Profile could take many forms, such as a flow chart or a crosswalk among various NIST Framework Subcategories. We plan to leverage the Privacy Framework 1.1 update process to develop the Profile as many of the same stakeholders will be involved. Ultimately, we want to hear from you if you like this idea and what this resource should look like.

Next Steps

We hope you’ll contribute your expertise to these endeavors through the numerous opportunities to get involved as outlined in this milestone timeline:

PF 1.1 DG Profile
Credit: NIST

Stay Up to Date

As our planning progresses, we will update the development schedule on our New Projects webpage with specific dates. Given that the Privacy Framework update and Data Governance Profile development coincide with the finalization of our Privacy Workforce Taxonomy, we intend to align all three workstreams where practicable.

Details on each stage in this process will be provided through a variety of channels:

  • Email: As a starting point, be sure to sign up to our Privacy Framework email listserv by sending an email to privacyframework+subscribe [at] list.nist.gov (privacyframework+subscribe[at]list[dot]nist[dot]gov)
  • Website: We will have a dedicated webpage on the main Privacy Framework website to serve as the central repository for all pertinent information and events relating to the Privacy Framework update process and Data Governance Profile development
  • Social Media: If you prefer to get updates via social media, be sure to follow NIST Cyber on LinkedIn and Facebook
  • Contact Us: Finally, you can always contact us with questions or comments at privacyframework [at] nist.gov (privacyframework[at]nist[dot]gov)

We look forward to working with you this year! In the meantime, please let us know what you think about these new initiatives and how we should approach them by contacting us at privacyframework [at] nist.gov (privacyframework[at]nist[dot]gov).

About the author

Dylan Gilbert

Dylan Gilbert is a Privacy Policy Advisor with the Privacy Engineering Program at the National Institute of Standards and Technology, U.S. Department of Commerce. In this role, he advances the development of privacy engineering and risk management processes with a focus on the Privacy Framework and emerging technologies.

Prior to joining NIST, he was Policy Counsel at Public Knowledge where he led and developed all aspects of the organization’s privacy advocacy. This included engagement with civil society coalitions, federal and state lawmakers, and a broad cross-section of external stakeholders on issues ranging from consumer IoT security to the development of comprehensive federal privacy legislation. He spent the early part of his career as a working musician and freelance writer in his native southern California.

Dylan holds a B.A. in English from the College of William and Mary and a J.D. from the George Washington University Law School.

Comments

Add new comment

CAPTCHA
Image CAPTCHA
Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.