The National Institute of Standards and Technology (NIST) issued a draft update of its Privacy Framework (PFW) on Monday to allow organizations to use it seamlessly with the agency’s Cybersecurity Framework (CSF) 2.0.
The updated version aims to meet current privacy risk management needs and improve usability. The agency is looking for feedback on the draft framework by June 13.
“This is a modest but significant update,” Julie Chua, the director of NIST’s Applied Cybersecurity Division, said in an April 14 press release. “The PFW can be used on its own to manage privacy risks, but we have also maintained its compatibility with CSF 2.0 so that organizations can use them together to manage the full spectrum of privacy and cybersecurity risks.”
The draft release, NIST Privacy Framework 1.1 Initial Public Draft, comes over five years after the release of its original framework, The NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, Version 1.0, in January 2020.
NIST first announced it would update its Privacy Framework in February 2024, the same month the agency updated its Cybersecurity Framework.
The changes to the PFW are partly driven by its relationship with the widely used CSF. Privacy risk and cybersecurity risk often overlap, and the two frameworks share the same high-level structure to facilitate their coordinated use.
“The PFW 1.1 Public Draft Core is realigned with the CSF 2.0 Core in many places, making life easier on users,” NIST explained in the press release.
For example, the PFW’s draft update makes targeted changes to its core structure and content, and it contains a new section on AI and privacy risk management.
Another notable change is the guide to using the PFW has been relocated to the web, rather than its former location in Section 3. NIST structured the online material as an interactive FAQ page, allowing the agency to make timely updates and helping users find answers quickly.
In addition to the FAQ page, NIST also maintains a PFW Learning Center with quick-start guides in multiple languages. The center’s page also features a new PFW 1.1 Highlights video with more details.
Stakeholders can submit their comments by emailing them to privacyframework@nist.gov by June 13. After the comment period, NIST said it will “consider additional changes and release a final version later this calendar year.”