Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.


NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management

The Privacy Framework is a voluntary tool intended to help organizations identify and manage privacy risk to build beneficial products and services while protecting individuals’ privacy.

NIST Privacy Framework (PDF)

NIST Internal Report (NISTIR) 8062: An Introduction to Privacy Engineering and Risk Management in Federal Systems

NISTIR 8062 introduces the concept of applying systems engineering practices to privacy and provides a new model for conducting privacy risk assessments on federal systems.


NIST Privacy Risk Assessment Methodology (PRAM)

The PRAM is a tool that applies the risk model from NISTIR 8062 and helps organizations analyze, assess, and prioritize privacy risks to determine how to respond and select appropriate solutions. The PRAM can help drive collaboration and communication between various components of an organization, including privacy, cybersecurity, business, and IT personnel.

Worksheet 1: Framing Business Objectives and Organizational Privacy Governance
Worksheet 2: Assessing System Design; Supporting Data Map
Worksheet 3: Prioritizing Risk
Worksheet 4: Selecting Controls
Catalog of Problematic Data Actions and Problems

PRAM (.ZIP)   Version: February 2019

NIST Special Publication (SP) 800-226: Guidelines for Evaluating Differential Privacy Guarantees

SP 800-226 is about differential privacy, a privacy-enhancing technology that quantifies privacy risk to individuals when their information appears in a dataset. In response to President Biden’s Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, SP 800-226 is intended to help agencies and practitioners of all backgrounds—policy makers, business owners, product managers, IT technicians, software engineers, data scientists, researchers, and academics—better understand how to evaluate promises made (and not made) when deploying differential privacy, including for privacy-preserving machine learning. Additionally, there is a supplemental package of Python Jupyter notebooks that illustrate how to achieve differential privacy and other concepts described in the publication.

Used the PRAM and have suggestions for improving it? Head over to the Privacy Engineering Collaboration Space, where you can share feedback.

 See the PRAM in the Collaboration Space

Created May 11, 2018, Updated January 26, 2024