NIST Privacy Framework (DRAFT)

    Standards and Frameworks

    NIST Privacy Framework (DRAFT)

    The Framework will be a voluntary tool for organizations to better identify, assess, manage, and communicate about privacy risks. It will help to ensure that individuals can enjoy the benefits of innovative technologies with greater confidence and trust. Currently, the NIST Privacy Framework is still under development. The latest outline was published on  April 30, 2019, which described the Framework’s attributes, provided a high-level alignment with the NIST Cybersecurity Framework, addressed three components of the Frameworks, and proposed a more in-depth treatment of risk management.  Feedback on this outline can be sent to [email protected]

    Last Updated: July 30, 2019

  • General

    NIST is developing the Privacy Framework considering the diverse privacy needs resulting from fast-growing cutting-edge technologies such as the Internet of Things and artificial intelligence. NIST has been working with private and public sector stakeholders in developing the Privacy Framework. As the leader in developing this framework, NIST has a long track record of successfully and collaboratively working with the private sector and federal agencies to establish guidelines and standards. There is no executive order or other authoritative drivers for NIST to develop this framework.

    NIST’s recent Privacy Framework Discussion Draft  reflects an interest in developing a framework that could be readily usable as part of an enterprise’s broader risk management processes and is scalable to organizations of various sizes and how it could be suitable to a greater range of organizations.

    The latest discussion draft features the increased integration of constructs referenced in NIST’s Request for Information document, such as the Fair Information Practice Principles, the information life cycle, and the NIST privacy engineering objectives (i.e. predictability, manageability, disassociability) or other constructs. It also provides guidance on understanding privacy risks and privacy risk management.  Further, the draft provides a proposed Core, which includes functions, categories, and subcategories. The functions described are Identify, Protect, Control, Inform, and Respond and are further detailed with applicable categories of policies and practices.  Additionally, NIST’s current draft defines informative references as specific sections of standards, guidelines, and practices that can be mapped to the Core subcategories and support achievement of the subcategory outcomes. A mapping of the Core to relevant NIST guidance is included here, and NIST also plans to develop a process for accepting external informative references. Support from stakeholders regarding the alignment of the structure of the Privacy Framework and the Cybersecurity Framework led NIST to generate this document to facilitate the discussion of the overlap and differences between the two frameworks at its recent Drafting the NIST Privacy Framework: Workshop #2.

    It is worth noting that the Department of Commerce’s National Telecommunications and Information Administration (NTIA) is developing a set of privacy principles intended to support a U.S. approach that advances consumer privacy protections while protecting prosperity and innovation. NTIA is coordinating with the department’s International Trade Administration to ensure consistency with international policy objectives. Compared with NTIA’s privacy principles which focus on developing U.S. domestic policy, the NIST framework aims to be an enterprise-level privacy risk management tool that can be compatible with and support organizations’ ability to operate under applicable domestic and international legal or regulatory regimes.

    The NIST Privacy Framework is intended to provide a catalog of privacy outcomes and approaches for organizations of all kinds to better identify, assess, manage, and communicate about privacy risks. The Privacy Framework will help organizations prioritize strategies that create flexible and effective privacy protection solutions. Rather than a one-size-fits-all approach for risk management, the framework aims to provide organizations with flexibilities and assist organizations to better manage privacy risks within their diverse environments. The Framework’s attributes can be summarized as the following:

    • Risk-based, outcome-based, voluntary, and non-prescriptive;
    • Adaptable to many different organizations, technologies, lifecycle phases, sectors, and uses;
    • Using a common and accessible language; and
    • Compatible with both domestic and international legal or regulatory regimes

    The Framework will have a high-level alignment with the NIST Cybersecurity Framework to enable greater compatibility between the two frameworks. However, good cybersecurity practices don’t mean full compliance under the Privacy Framework. The Privacy Framework addresses the full scope of privacy risks arising from data processing, as well as from how individuals interact with products, services, or systems of an organization. The Framework will clarify the relationship and differences between the Cybersecurity Framework and the Privacy Framework.

    There are three components of the Privacy Framework which align to the structure of the Cybersecurity Framework:

    • Core – This provides a set of activities to achieve specific privacy outcomes, and reference examples of guidance to achieve those outcomes.
    • Profiles – This is the alignment of the Core outcomes or activities with the business requirements, risk tolerance, privacy objectives, and resources of the organization. An organization does not need to meet every outcome or activity set in the Core. Each organization may develop its Profile based on the organizational or industry sector goals, legal or regulatory requirements and industry best practices, the privacy needs of the individuals involved, and the organization’s risk management priorities.
    • Tiers – This provides the context of an organization’s risk management scheme. There are four tiers. The Framework encourages organizations identified as Tier 1 to consider moving to Tier 2. However,  Tier 3 and Tier 4 are not recommended for all organizations. The Tiers provide organizations with choices of risk management based on their specific situations.

    In addition, NIST plans to provide a more in-depth treatment of privacy risk management to address the gap resulting from the lack of widely-agreed upon concepts for privacy risk management. Such treatment may include providing a uniform privacy risk model.

Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit or connect on LinkedIn, Twitter and Facebook.