<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

In recent weeks, the National Institute of Standards and Technology released their latest draft of the new privacy framework. The forthcoming privacy framework will join NIST’s wildly popular Cybersecurity Framework (CSF) as well as Risk Management Framework (RMF), and can’t come a minute too soon. Data privacy and protection has been a rising concern among a more technology literate consumer base and state legislation has already started to respond. With the deadline for European GDPR as well as the impending deadline for the California Consumer Privacy Act, we are only in the early stages of state laws mandating transparent and ethical management of personal data.

 This Is Only The Beginning

As we predicted, the CCPA is only the beginning for state-specific legislation around consumer privacy and data protection. The CCPA, modeled after Europe’s GDPR, applies to California residents specifically. Where the law diverges from GDPR, though, is in the sale of personal data - a pressing issue for California residents given the business models of the tech titans of Silicon Valley. The CCPA mandates that covered entities clearly show an “opt out of sale” button for California residents to opt out of data sale. 

While not the first state-specific cyber-related legislation, the CCPA is one of the first consumer privacy-focused legislations and certainly the most hotly contested given the regulation it could mean for Silicon Valley. We’ve discussed before, though, that a reactionary check-box approach to compliance will yield superfluous efforts and poor allocation of resources. In terms of data privacy, though, checkbox compliance is all we have so far.

Where’s The Consolidation 

The value of the NIST Cybersecurity Framework from a strategy perspective is that most US industry and state-specific requirements use the CSF as a foundation. In short, adopting the CSF will futureproof an organization and allow them to focus on risk-based thinking over constantly worrying about the next compliance requirement. However, to date, there is not a similar data privacy framework. The challenge here is now that we are facing a rise in new regulation on data privacy and the NIST privacy framework can be for privacy what the CSF is for security. Furthermore, as CyberSaint co-founder and Chief Product Officer Padraic O’Reilly discussed in his NIST’s Golden Trio Webinar - these frameworks (the CSF, privacy framework, and RMF) are designed to work together and layer on top of each other to support a holistic data security program.

Building On A Solid Foundation

An industry recognized gold-standard in itself, the NIST CSF has also served as the foundation for multiple industry-specific frameworks - the NYDFS 23 NYCRR 500 regulation for New York financial service organizations, the Department of Defense DFARS mandate for contractors, and the insurance industry’s Model Law that’s already being adopted by multiple states - all derive their framework and approach from the NIST CSF. Whether linked directly or indirectly to the CSF, adopting the backbone framework (in this case, the CSF) allows security teams to focus on any points of difference when a new regulation arises rather than reactively scrambling whenever a new state- or industry-specific compliance requirement arises.

What The Industry Needs

We are starting to see the groundswell of federal regulation in terms of data privacy and cybersecurity, however, the timeline is vague, to say the least. States can move more nimbly and as a result, we can expect to see more states develop their own regulation before there is a federal standard. For organizations that do business in multiple states (commonplace in the internet age), this onslaught of apparently different regulations will cause security teams to spin their tires. What the industry needs, is a gold-standard foundation for the data privacy element of strong data protection. We at CyberSaint see the NIST privacy framework as that standard, the determining factor of whether it will be that standard is how fast it becomes available. Over the coming months, we can expect NIST to collect comments and integrate into possibly a new draft or maybe a final version - if we see more state-specific laws passed in that time, the NIST privacy framework’s moment will pass. Regardless of whether it is NIST or another regulatory body, though, for the sake of US security teams we need a foundation to standardize on. 

You may also like

April Product Update
on May 3, 2022

Teamwork makes the dream work! Teamwork makes the dream work - an annoyingly accurate cliche we’ve repeatedly heard over the years from sports fields to corporate offices. It’s a ...

Watch The CyberStrong Platform ...
on April 27, 2022

With cyber-attacks on businesses at an all-time high, it’s more crucial than ever to keep an eye out for potential cyber risks. These risks pose an even bigger threat when ...

Alison Furneaux
January / February Product Update
on March 7, 2022

New year, new features! Each year brings a new list of new year’s resolutions - you know, that list of fake promises you make to yourself, like giving up chocolate, exercising ...

Kyndall Elliott
The Complete Guide to Your ...
on March 4, 2022

The incident response framework by the National Institute of Standards and Technology (NIST) is an impactful beginning for organizations looking to optimize their incident plan ...

Kyndall Elliott
All You Need to Know About NIST ...
on March 3, 2022

Businesses depend on protecting confidential information to establish a reputation of dependability in the market and build trusting relationships with their customers and ...

How Cyber and IT Risk ...
on March 10, 2022

Cybercrime has reached new heights over the last five years, especially during the COVID-19 pandemic. This is made evident by the costly security breaches in big corporations that ...