NIST Updates Privacy Framework, Tying It to Recent Cybersecurity Guidelines

How can society benefit from the use of personal data while also protecting individual privacy? Five years after debuting guidelines that can help organizations balance these goals, the National Institute of Standards and Technology (NIST) has drafted a new version of the NIST Privacy Framework intended to address current privacy risk management needs, maintain alignment with NIST’s recently updated Cybersecurity Framework, and improve usability.

The draft release, NIST Privacy Framework 1.1 Initial Public Draft, is broadly intended to help organizations manage the privacy risks that arise from personal data flowing through complex information technology systems. Failure to manage these risks effectively can directly affect individuals and society, potentially damaging organizations’ brands, bottom lines and prospects for growth.

Changes to the Privacy Framework (PFW) are needed in part because of its relationship to the widely used NIST Cybersecurity Framework (CSF), which received an update of its own in February 2024. Privacy risk is closely related to, and often overlaps with, cybersecurity risk. Because of this, the two frameworks have the same high-level structure to make them easy to use together.

One element shared by both frameworks is the “Core,” an increasingly granular set of activities and outcomes that can help organizations discuss risk management. The PFW 1.1 Public Draft Core is realigned with the CSF 2.0 Core in many places, making life easier on users.

“This is a modest but significant update,” said NIST’s Julie Chua, director of NIST’s Applied Cybersecurity Division. “The PFW can be used on its own to manage privacy risks, but we have also maintained its compatibility with CSF 2.0 so that organizations can use them together to manage the full spectrum of privacy and cybersecurity risks.”

Among the notable changes in PFW 1.1’s draft update are:

• Targeted revisions to the Core section. The PFW’s draft update makes targeted changes to its core structure and content. Some changes maintain alignment with CSF 2.0, with a focus on the Govern Function (i.e., risk management strategy and policies) and the Protect Function (i.e., privacy and cybersecurity safeguards). Other changes make improvements in response to stakeholder feedback gathered over the past five years through channels such as the NIST Privacy Workforce Public Working Group.
• A new section on AI and privacy risk management. The initial version of the PFW appeared before the use of AI tools such as chatbots became widespread. The draft PFW’s Section 1.2.2 briefly outlines ways that AI and privacy risks relate to one another and how PFW 1.1 can be used to manage AI privacy risks.
• A relocation of the PFW’s use guidelines to the web. Those seeking a guide to using the PFW now can find this information on the web rather than in its former location in Section 3. The online material has been structured as an interactive FAQ page intended to allow users to find answers quickly. Keeping this section online also will enable timely updates in response to user needs.

In addition to the interactive FAQs, NIST maintains a PFW Learning Center that includes quick-start guides in several languages. The center’s page now features a PFW 1.1 Highlights video that offers more details about the draft’s updates.

NIST is accepting public comments on the draft via privacyframework [at] nist.gov (privacyframework[at]nist[dot]gov) until June 13, 2025. A template for submitting comments can be found at the NIST Privacy Framework website. Following the comment period, NIST will consider additional changes and release a final version later this calendar year.

NIST Privacy Framework 1.1 Initial Public Draft Highlights