Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

NIST Requests Comments on a Draft Privacy Risk Management Framework

Note: The deadline for submitting comments on NISTIR 8062 has been extended to July 31, 2015.

Innovations in cloud computing, big data and cyber-physical systems are bringing dramatic changes to how we use information technology. But while these technologies promise important benefits for the nation's economy and security and our quality of life, they pose an increasing risk to individual privacy.

To better anticipate and address the impacts these technologies can have on privacy in federal information systems, the National Institute of Standards and Technology (NIST) has drafted a document that lays out a framework for privacy risk management. NIST is asking for public comment on the draft framework.

"Risk management methods provide systematic ways to identify and address risk and have proven effective in areas such as cybersecurity, safety and finance," says Naomi Lefkovitz, senior privacy policy advisor at NIST. "We see a great deal of potential for these methods to help agencies design and manage federal information systems that minimize risks to privacy."

The draft document supports such methods by providing a common vocabulary, objectives to facilitate privacy engineering, and a risk model for assessing privacy risk in information systems.

The privacy engineering objectives provide a conceptual framework for engineers and system designers to bridge the gap between high-level principles and implementation. The objectives are intended to support privacy risk management by facilitating consistent, actionable and measurable design decisions. The privacy risk model aims to provide a repeatable and measurable method for addressing privacy risk in information systems.

In developing the draft Privacy Risk Management Framework, NIST sought the perspectives and experiences of privacy experts across a variety of sectors in an open and transparent process that included workshops, public comment periods and various other outreach activities.

Future areas of work will focus on improving the application of policy, operational and technical controls to mitigate risks identified with the Privacy Risk Management Framework. NIST will continue to request feedback from federal agencies, academic institutions and other organizations to refine the privacy engineering objectives and the privacy risk model, and to develop additional guidance to assist agencies in determining the likelihood and impact of privacy risks.

Read the full draft document on the NIST website and submit comments to privacyeng [at] nist.gov using the format provided. Collected input will be used to refine the framework. The public comment closes July 13, 2015, at 5 p.m. Eastern time.

This page was updated on July 13, 2015, to reflect a change in the submission deadline.

Released June 2, 2015, Updated January 8, 2018