A draft update to the NIST Privacy Framework aims to align it with the agency’s 2024 Cybersecurity Framework update while addressing emerging privacy risks and improving usability.
Five years after debuting privacy framework guidelines, the National Institute of Standards and Technology (NIST) has drafted a new version of the NIST Privacy Framework intended to address current privacy risk management needs, maintain alignment with NIST’s recently updated Cybersecurity Framework, and improve usability.
The draft release, NIST Privacy Framework 1.1 Initial Public Draft, is broadly intended to help organizations manage the privacy risks that arise from personal data flowing through complex information technology systems, according to NIST, which notes that “failure to manage these risks effectively can directly affect individuals and society, potentially damaging organizations’ brands, bottom lines, and prospects for growth.”
NIST notes that changes to the Privacy Framework are needed in part because of its relationship to the widely used NIST Cybersecurity Framework (CSF), which received an update of its own in February 2024. Privacy risk is closely related to, and often overlaps with, cybersecurity risk. Because of this, the two frameworks have the same high-level structure to make them easy to use together.
One element shared by both frameworks is the “Core,” an increasingly granular set of activities and outcomes that can help organizations discuss risk management. The Privacy Framework 1.1 Public Draft Core is realigned with the CSF 2.0 Core in many places, aiming to make life easier on users.
“This is a modest but significant update,” says NIST’s Julie Chua, director of NIST’s Applied Cybersecurity Division, in a release. “The [Privacy Framework] can be used on its own to manage privacy risks, but we have also maintained its compatibility with CSF 2.0 so that organizations can use them together to manage the full spectrum of privacy and cybersecurity risks.”
NIST’s Privacy Framework Updates
Among the changes in NIST’s Privacy Framework 1.1’s draft update are:
- Targeted revisions to the Core section. The Privacy Framework’s draft update makes targeted changes to its core structure and content. Some changes maintain alignment with CSF 2.0, with a focus on the Govern Function (ie, risk management strategy and policies) and the Protect Function (ie, privacy and cybersecurity safeguards). Other changes make improvements in response to stakeholder feedback gathered over the past five years through channels such as the NIST Privacy Workforce Public Working Group.
- A new section on AI and privacy risk management. The initial version of the Privacy Framework appeared before the use of AI tools such as chatbots became widespread. The draft Privacy Framework’s Section 1.2.2 briefly outlines ways that AI and privacy risks relate to one another and how Privacy Framework 1.1 can be used to manage AI privacy risks.
- A relocation of the Privacy Framework’s use guidelines to the web. Those seeking a guide to using the Privacy Framework now can find this information on the web rather than in its former location in Section 3. The online material has been structured as an interactive FAQ page intended to allow users to find answers quickly. Keeping this section online also will enable timely updates in response to user needs.
In addition to the interactive FAQs, NIST maintains a Privacy Framework Learning Center that includes quick-start guides in several languages. The center’s page now features a Privacy Framework 1.1 Highlights video that offers more details about the draft’s updates.
NIST is accepting public comments on the draft via [email protected] until June 13, 2025. A template for submitting comments can be found at the NIST Privacy Framework website. Following the comment period, NIST will consider additional changes and release a final version later this calendar year.
