Why is a privacy framework needed?
What will the NIST Privacy Framework look like?
Will anyone be required to use the NIST Privacy Framework?
What is NIST’s process for developing the Privacy Framework, and how can organizations engage?
For whom is the NIST Privacy Framework intended?
Is there an Executive Order or other authoritative driver for NIST to do this work?
What is the relationship between the Cybersecurity Framework and the NIST Privacy Framework currently under development?
How does the NIST Privacy Framework relate to other NIST cybersecurity and privacy guidance and work?
How does the Privacy Framework relate to other international frameworks promoted by the Department of Commerce?
What are Privacy Framework Informative References?
Where can I find Informative References for the Privacy Framework?
Will NIST provide mappings between the Privacy Framework and laws and regulations?
I haven't been able to attend any of the public workshops. How can I learn more about what was discussed and engage in the development process?
When does NIST intend to publish Version 1.0 of the Privacy Framework?
Can my organization become an early adopter of the Privacy Framework?
What are next steps for the Privacy Framework?
Who can answer additional questions regarding the Privacy Framework?
It is a challenge to design, operate, or use technologies in ways that are mindful of diverse privacy needs in an increasingly connected and complex environment. Cutting-edge technologies such as the Internet of Things and artificial intelligence are raising further concerns about their impacts on individuals’ privacy. Inside and outside the U.S., there are multiplying visions for how to address these challenges. Deriving benefits from data while simultaneously managing risks to individuals’ privacy is not well-suited to one-size-fits-all solutions. Accordingly, the National Institute of Standards and Technology (NIST) is developing a voluntary privacy framework, in collaboration with private and public sector stakeholders, to help organizations with:
While good cybersecurity practices help manage privacy risk by protecting people’s data, privacy risks also can arise from how organizations process this data to meet their mission or business objectives. The voluntary Privacy Framework—through a risk- and outcome-based approach—is intended to be flexible enough to address diverse privacy needs, enable more innovative and effective solutions that can lead to better outcomes for individuals and enterprises, be compatible with existing domestic and international legal and regulatory regimes in order to be the most useful to organizations and enable widespread adoption, and stay current with technology trends, including artificial intelligence and the Internet of Things.
The development process of the framework to date includes a request for information, three public workshops, four webinars, and the release of staged deliverables for stakeholder feedback (e.g., outline, discussion draft, supplemental materials). Based on this stakeholder feedback, the latest draft of the framework is the Preliminary Draft, which follows the structure of the Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework), to facilitate the use of both frameworks together and address the full scope of privacy risk. Like the Cybersecurity Framework, the Preliminary Draft is composed of three parts: the Core, Profiles, and Implementation Tiers. Each component reinforces privacy risk management through the connection between business and mission drivers and privacy protection activities. Version 1.0 is anticipated to be released by the end of 2019.
The NIST Privacy Framework will be a voluntary tool. To foster innovation in products and services and to promote research for and adoption of effective privacy solutions, the Preliminary Draft of the framework provides a catalog of privacy outcomes and approaches to be used voluntarily versus a set of one-size-fits-all requirements. It aims to assist organizations to better manage privacy risks within their diverse environments, rather than prescribing the methods for managing privacy risk. The framework is designed to be law- and regulation-agnostic to facilitate organizations’ ability to operate under different domestic and international legal or regulatory regimes.
NIST is modeling the approach for this framework based on the successful, open, transparent, and collaborative approach used to develop the Framework for Improving Critical Infrastructure Cybersecurity. NIST has been convening and working with industry; civil society groups; academic institutions; Federal agencies; state, local, territorial, tribal, and foreign governments; standard-setting organizations; and others, conducting extensive outreach through a series of workshops and requests for public comment. These engagement opportunities offer stakeholders the ability to participate and play a formative role in developing a tool that is useful and effective for a wide range of organizations. NIST has released the Preliminary Draft of the framework and anticipates releasing Version 1.0 by the end of 2019. For more information, see the development schedule. To receive periodic updates about the process and opportunities to engage, subscribe to the Privacy Framework mailing list. Stakeholders can also email privacyframework [at] nist.gov () with questions or to learn more about becoming an early adopter of the Privacy Framework.
The Privacy Framework is intended to be widely usable by organizations of all sizes and agnostic to any particular technology, sector, law, or jurisdiction, as well as by any organization or entity regardless of its role in the data processing ecosystem—the complex and interconnected relationships among entities involved in creating or deploying systems, products, or services. The Privacy Framework is intended to encourage cross-organization collaboration between different parts of an organization’s workforce, including executives, legal, and IT.
In keeping with its mission, NIST is developing a voluntary privacy framework as an enterprise-level tool to assist organizations with better management of privacy risks within their diverse environments and increase trust in products and services. NIST has a long track record of successfully and collaboratively working with the private sector and federal agencies to develop guidelines and standards. With experience in developing the Framework for Improving Critical Infrastructure Cybersecurity, and extensive privacy expertise in its Privacy Engineering Program, NIST is well positioned to lead the development of the Privacy Framework.
NIST has modeled the development of the Privacy Framework on the successful, open, transparent, and collaborative approach used to develop the Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework). NIST received feedback from stakeholders to align the structure of the Privacy Framework with the Cybersecurity Framework so the two frameworks could more easily be used together. In response to this feedback, NIST has released a Preliminary Draft that—following the structure of the Cybersecurity Framework—is composed of three parts: the Core, Profiles, and Implementation Tiers.
An outstanding issue that remains is the degree to which the Privacy Framework and Cybersecurity Framework should overlap with respect to managing data breach risks. NIST recognizes the importance of collaboration between privacy and cybersecurity teams. At the same time, organizations approach this issue in different ways. In the short term, the Preliminary Draft demonstrates NIST’s initial approach to addressing the overlap by providing flexibility while encouraging collaboration. In the longer term, NIST will continue to work to simplify the approach to its various frameworks.
NIST consistently coordinates across program and research areas to leverage the appropriate expertise from various domains and to promote alignment and improvement of NIST guidance. Although some NIST guidance is primarily directed towards Federal agencies to help them comply with statutory or Federal policy requirements, this framework - as a voluntary tool - is envisioned to help organizations of all kinds better manage privacy risks within their diverse environments. NIST will coordinate accordingly and draw upon its work in security and privacy risk management in the process of developing the framework while recognizing that different uses may necessitate different types of tools. NIST will continue to work to simplify its approach to cybersecurity and privacy guidance.
While use of the Privacy Framework does not mean that organizations are automatically in compliance with Privacy Shield or APEC CBPR, organizations can use their achievement of privacy protection activities and outcomes in the Privacy Framework to better demonstrate how they may be meeting specific requirements under Privacy Shield or APEC CBPR.
As described in the Preliminary Draft, informative references are specific sections of standards, guidelines, and practices that support the achievement of the outcomes associated with each Subcategory. The Privacy Framework’s Functions, Categories, and Subcategories are essentially the “what” to achieve, and the Informative References are the “how” to achieve.
NIST has provided a mapping of the Preliminary Draft’s Subcategories to relevant NIST guidance. NIST is also developing a process for accepting Informative References from external organizations to be collected and shared in an online repository.
NIST is developing a process for accepting Informative References from external organizations to be collected and shared in an online repository. NIST welcomes Informative References that provide mappings to laws and regulations. For updates on the process development, subscribe to the Privacy Framework mailing list or visit the website.
There are a variety of resources available on the Privacy Framework website, including workshop videos, summaries, and supporting materials; webinars; and information on how to submit feedback.
NIST anticipates publishing Version 1.0 on the Privacy Framework website by the end of the 2019 calendar year.
Of course! Any organization can use the Privacy Framework. Organizations are encouraged to take the Preliminary Draft for a trial run and share insights as feedback to NIST. NIST is also seeking organizations interested in showing leadership in privacy by adopting Version 1.0 once it’s published. Email privacyframework [at] nist.gov () to learn more about becoming an early adopter.
Visit the working drafts page to read the latest draft and share feedback with NIST. Check out the events page for the most up-to-date opportunities to engage with NIST on the Privacy Framework, and subscribe to the mailing list to receive updates. NIST anticipates publishing Version 1.0 on the Privacy Framework website by the end of the 2019 calendar year.
Review the Privacy Framework website for more information, or contact NIST via email at privacyframework [at] nist.gov ().