Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.


The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Summer homework: NIST welcomes comments until 7/31 on draft privacy risk management framework

Update: Deadline extended to 7/31 at 5:00 PM ET!

Earlier today, the privacy engineering team at NIST released its draft NIST Internal Report 8062, Privacy Risk Management for Federal Information Systems, and is seeking comments on that draft. This report introduces a privacy risk management framework (PRMF) for anticipating and addressing privacy risks that result from the processing of personal information in federal information technology systems. In particular, it focuses on three privacy engineering objectives—predictability, manageability, and disassociability—and a privacy risk model.

In developing the PRMF, the team also created a privacy risk assessment methodology (PRAM) to leverage this new framework (appendix D in the report). Thanks go to the NSTIC pilots who decided to use the PRAM to support their alignment with the NSTIC privacy-enhancing and voluntary guiding principle and provide feedback. This effort reflects the cooperative and open process we value so highly with our stakeholders.

The PRMF is modeled after the NIST Risk Management Framework for managing cybersecurity risk and is intended to be a repeatable and measurable tool for improving the understanding, prioritization, and mitigation of privacy risks in information systems. However, more work needs to be done. The privacy engineering team is considering, for future work, how to provide guidance on the selection of technical, policy, and operational controls to address specific privacy risks.

NIST is soliciting input on the report through an open comment period. All feedback is welcome; particularly on the several specific questions for reviewers, available here. Please send all comments to by July 31, 2015, at 5:00pm ET using the comment matrix provided.

We see the release of this draft report as a critical step in the process of how to address privacy concerns in the Identity Ecosystem in a more meaningful and consistent way. The public comment process is critical to building the best product possible – so please share the draft report far and wide and share your thoughts on it with us!

About the author

Naomi Lefkovitz

Naomi Lefkovitz is the Senior Privacy Policy Advisor in the Information Technology Lab at the National Institute of Standards and Technology, U.S. Department of Commerce. Her portfolio includes work...

Related posts

Let’s talk about IoT device security

NIST’s Cybersecurity for the Internet of Things (IoT) Program is beginning stakeholder engagement on identifying a core set of cybersecurity capabilities


Add new comment

  • This question is for testing whether or not you are a human visitor and to prevent automated spam submissions. Image CAPTCHA
    Enter the characters shown in the image.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Posts that violate our comment policy will not be posted.