Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

The Preliminary Draft of the NIST Privacy Framework is Here!

Privacy and NIST are in the headlines today and in good way! We are delighted to announce the release of the Preliminary Draft of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management for public comment.

Since our kickoff workshop in October 2018, in Austin, Texas, we put out a Request for Information and we’ve been traveling around the country conducting a series of workshops and roundtables to listen to stakeholders about their challenges with protecting privacy and how we can develop the Privacy Framework into a tool that will help. This Preliminary Draft is the result of these conversations. Our goal was to deliver a tool that could help organizations communicate better about privacy risks when designing and deploying products and services, provide more effective solutions that can lead to better privacy outcomes, and facilitate compliance with their legal obligations. Now it’s your turn to let us know if we met that goal.

Of course, it wouldn’t be as much fun if there wasn’t a little excitement during the development process. Robust discussions about how to describe the relationship between privacy and cybersecurity took center stage. How do we bring privacy risk management into parity with cybersecurity risk management, as well as with organizations’ broader enterprise risk portfolios? How do we address the overlap between data security and privacy breaches in cost-effective and practical ways? Where does the Cybersecurity Framework play a role?

OK, it’s not exactly cage match material, but if we want to make meaningful progress on optimizing beneficial uses of data while minimizing adverse consequences for individuals (or society as a whole) we need to grapple with these issues. From the get-go, we heard from stakeholders a desire to model the Privacy Framework structure after the Cybersecurity Framework such as using the construct of the Core with its high-level Functions, and increasingly granular set of protection activities and outcomes. But there were mixed responses on whether the Privacy Framework and the Cybersecurity Framework should have overlapping Functions with respect to data security, so we decided to workshop it. We proposed two options for the Privacy Framework Core to discuss at our third workshop in Boise, Idaho: one option included Functions from the Cybersecurity Framework to address data security, while the other did not.

Spoiler alert: If you’re looking for the big reveal on which Core we selected, we’re sorry to disappoint you, but this is a drama free zone! Although the views were pretty evenly split on the Core options, stakeholders felt strongly about their preferences because they reflected how closely their organizations collaborated on privacy and cybersecurity, and the maturity of their privacy programs. These reasons told us that we should design the Core to meet organizations where they are today and provide the flexibility to allow them to “choose their own adventure” when it comes to using both frameworks. To demonstrate this flexibility, we’ve created the following Venn diagram, mirroring the one we’ve been using to describe the relationship between privacy and cybersecurity (see section 1.2.1 of the Preliminary Draft).

Privacy Framework Venn Diagram
Credit: NIST

As presented in the Preliminary Draft, there are five Functions in the Privacy Framework: Identify-P, Govern-P, Control-P, Communicate-P, and Protect-P, where the -P distinguishes privacy focused activities versus cybersecurity ones.  The first four can be used to manage privacy risks arising from data processing, while Protect-P can help organizations manage privacy risks associated with privacy breaches along with Detect, Respond, and Recover from the Cybersecurity Framework. Protect-P is not the only way to manage privacy risks associated with privacy breaches. Alternatively, organizations could use all of the Cybersecurity Framework Functions in conjunction with Identify-P, Govern-P, Control-P, and Communicate-P to collectively address privacy and cybersecurity risks.

At NIST, we believe in the importance of collaboration between privacy and cybersecurity teams. That’s why we’ve been working to integrate privacy into our cybersecurity guidance. Special Publications 800-37 Rev. 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, 800-53 Rev. 5 (draft), Security and Privacy Controls for Federal Information Systems, and 800-63 Rev. 3, Digital Identity Guidelines are all good examples of our efforts to date. But as noted above, we also recognize that it’s important to build a tool that is usable regardless of an organization’s structure. We realize that this flexibility comes at a cost of some complexity. Therefore, we plan to continue to discuss the best way to encourage more collaboration while simplifying our approach to our various frameworks.

So far, developing the Privacy Framework has been a true pleasure because of the fantastic engagement of our stakeholders. Although reaching version 1.0 will really just be the first of many milestones, if you’ve joined in the journey already, thank you! If you haven’t yet, don’t miss this opportunity to share your feedback with us.

We will be accepting public comments on the Preliminary Draft through October 24, 2019. Submission instructions can be found here. If you would like to learn more about the Preliminary Draft, please join our NIST Privacy Framework Webinar: Ready, Set, Comment on the Preliminary Draft on September 17, 2019 (a recording will be posted afterwards). We’ll also be out and about at various events over the next few months – visit our website for more information about where to engage with us or privacyframework [at] (reach out) to learn more about becoming an early adopter of the Privacy Framework. Happy reviewing!

About the author

Naomi Lefkovitz

Naomi Lefkovitz is the Senior Privacy Policy Advisor in the Information Technology Lab at the National Institute of Standards and Technology, U.S. Department of Commerce. Her portfolio includes work on the National Strategy for Trusted Identities in Cyberspace (NSTIC), privacy engineering, privacy-enhancing technologies, cybersecurity and standards development.

FierceGovernmentIT named Ms. Lefkovitz on their 2013 “Fierce15” list of the most forward-thinking people working within government information technology, and she is a 2014 Federal 100 Awards winner.

Before joining NIST, she was the Director for Privacy and Civil Liberties in the Cybersecurity Directorate of the National Security Staff in the Executive Office of the President. Her portfolio included the NSTIC as well as addressing the privacy and civil liberties impact of the Obama Administration’s cybersecurity initiatives and programs.

Prior to her tenure at the White House, Ms. Lefkovitz was a senior attorney with the Division of Privacy and Identity Protection at the Federal Trade Commission. Her responsibilities focused primarily on policy matters, including legislation, rulemakings, and business and consumer education in the areas of identity theft, data security and privacy.

At the outset of her career, she was Assistant General Counsel at CDnow, Inc., an early online music retailer.

Ms. Lefkovitz holds a B.A. with honors in French Literature from Bryn Mawr College and a J.D. with honors from Temple University School of Law.

Related posts


Add new comment

Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.