<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

NIST Privacy Framework

What The NIST Privacy Framework Draft Means For Privacy and Cybersecurity


On Wednesday May 1, the National Institute of Standards and Technology (NIST) released their latest draft version of the much anticipated NIST Privacy Framework. Following the same model that the NIST Cybersecurity Framework (CSF), NIST has been actively workshopping the framework with specialists in both the public and private sectors and the public draft is also a hallmark of the collaborative, crowdsourced approach that NIST takes to developing their frameworks.

Data privacy has emerged as a top concern for consumers everywhere, brought to light with the European General Data Privacy Regulation (GDPR) and transplanted to the United States in the forms of the California Consumer Privacy Act (CCPA) and similar state-specific data privacy and protection requirements. The NIST Privacy Framework has been anticipated to play a similar role to the CSF as a voluntary gold-standard that organizations both public and private can use in varying degrees of implementation. Further, the value proposition of a gold-standard privacy framework, as the CSF is to information security, is that it helps regulatory bodies develop requirements based on that framework.

Similarities Between The CSF and Privacy Framework

In my webinar examining the interplay between NIST’s three main frameworks: the CSF, the NIST Risk Management Framework (RMF), and the Privacy Framework, I discussed how important it would be for the new Privacy Framework to connect to the CSF. As we’ve explored before here, data privacy and data security are inextricably connected - while security can exist without regard for privacy, data privacy cannot exist without regard for security. As she discussed at the NIST Cyber Risk Management Conference in November, Naomi Lefkovitz, privacy engineering program head at NIST, spoke about how NIST looks at security and privacy as a Venn diagram and that idea was embodied in the working draft. I was heartened to see that the Privacy Framework did in fact interplay with the CSF quite well.

The CSF relies on five core functions - identify, detect, protect, respond, and recover - as the foundation for the framework. The Privacy Framework takes a similar approach using five functions as well. Two of the privacy functions are net new but related--Control and Inform--and three are taken directly from the CSF:

Alongside these key indicators, the working draft explicitly says that the CSF can be leveraged to support the new Privacy Framework. From working as a consultant and building the CyberStrong platform, I can see specifically that the CSF can ingest the two new functions: control and inform.

The Rise of Privacy Risk Assessments?

A very interesting point I found in the working draft was the reference to a privacy risk assessment. In fact, it was a hallmark of the working draft. It is a very interesting point - understanding the potential conflicts around privacy through a risk assessment. Examining Naomi’s Venn diagram analogy further, a privacy risk assessment seems to be about striking a balance between protection and the use of personally identifying information (PII). In the case of conducting risk assessments, both for managing cybersecurity risk as well as privacy risk, it becomes all the more paramount to ensure harmony between cybersecurity and privacy frameworks.

Key Points For the Privacy Framework Moving Forward

For me, the issue of creating and strengthening a privacy framework is key, but going forward the real issue will be around harmonizing multiple standards and activities, and getting the whole organization on board with that. The greatest challenge that our users (and the industry as a whole) is facing is the patchwork of regulations both regarding security and privacy. From a foundational perspective, the outcome based approach of the NIST CSF has been the primary factor for many regulations being built using the framework. In the case of the Privacy Framework, it is almost a race against the clock. The industry needs a similar foundational framework that practitioners can adopt for privacy. Going even further, I’m very excited for the developments that we’re working on within the CyberStrong platform for advanced crosswalking that goes beyond the UCF for both privacy and cybersecurity frameworks. As more and more regulations emerge, the ability to adopt a standard like the CSF or SP 800-53 and then benchmark against industry specific requirements like HIPAA or PCI will become all the more important. Similarly, the NIST Privacy Framework can be that same foundation for privacy and using CyberStrong will allow you to project into more specific frameworks like GDPR and CCPA. In all, I applaud the exciting work that NIST put into the draft and am excited to see the Privacy Framework evolve.

You may also like

What's New in NIST SP 800 53 Rev 5
on November 27, 2020

NIST Special Publication (SP) 800-53 offers regulatory guidelines and controls for federal information systems except those relating to national security. This catalog of security ...

NIST SP 800-53 Explained
on November 24, 2020

Has anyone ever been the victim of a data breach? I have, and it’s not a pleasant experience. For some, it’s as simple as getting a new credit or debit card, but for others, it ...

How Healthcare IT Teams Can Unify ...
on November 19, 2020

The Health Insurance Portability and Accountability Act (HIPAA) seeks to ensure that patients’ data, protected health information (PHI), is reasonably protected from both a ...

How the Convergence of IT and OT ...
on November 17, 2020

The oil and gas industry has transformed through the adoption of many new technologies. Information Technology (IT), Operational Technology (OT), and Internet of Things (IoT) ...

Three Ways Tracking NIST 800 53 in ...
on November 12, 2020

The new NIST 800-53 revision five has over one thousand controls. Let that sink in - over one thousand individual controls. Of course, as the sophistication of cyber-attacks has ...

How IRM is Accelerating Digital ...
on November 9, 2020

The way the insurance industry has operated has changed dramatically in recent years. With the rise of insurtech startups and digitalization using emerging technologies to bridge ...