The cybersecurity industry has been asked for input on an updated draft to the NIST Privacy Framework. Public consultation has begun until June 13th which will gather final feedback on the content and structure of the framework, making it easier for stakeholders to use.
Organisations will be able to reference it seamlessly with the agency’s Cybersecurity Framework, which received its own update last year to achieve more balanced guidelines on collecting personal data while also protecting individual privacy. The second draft of the NIST Privacy Framework comes five years after the initial guidelines were published, which addresses modern privacy risk management needs and enhances usability.
The initial public draft broadly intends to outline how organisations can manage current data protection standards in their use of information technology systems, identity management tools collecting personal data. Failure to manage privacy risks effectively can “directly affect individuals and society, potentially damaging organizations’ brands, bottom lines and prospects for growth”, says NIST.
The update to the Privacy Framework is neccessary to create great cohesion with the widely used NIST Cybersecurity Framework, and regulate the prolific use of AI tools such as chatbots associated with many privacy risks. This has contributed to the notable changes in the PFW 1.1’s draft update as well as targeting revisions to the Core section and re-locating the PFW’s use guidelines to the web.
“The two frameworks have the same high-level structure to make them easy to use together” – NIST
Other changes make improvements in response to stakeholder feedback gathered over the past five years through channels such as the NIST Privacy Workforce Public Working Group.
“This is a modest but significant update,” said NIST’s Julie Chua, director of NIST’s Applied Cybersecurity Division. “The PFW can be used on its own to manage privacy risks, but we have also maintained its compatibility with CSF 2.0 so that organizations can use them together to manage the full spectrum of privacy and cybersecurity risks.”
Photo credits: N. Hanacek/NIST
