On Wednesday, May 1, the National Institute of Standards and Technology (NIST) released their latest draft version of the much anticipated NIST Privacy Framework. Following the same model that the NIST Cybersecurity Framework (CSF), NIST has been actively workshopping the lessons learned and framework with specialists in both the public and private sectors and the public draft is also a hallmark of the collaborative, crowdsourced approach that NIST takes to developing their frameworks.
Data privacy has emerged as a top concern for consumers everywhere, brought to light with the European General Data Privacy Regulation (GDPR) and transplanted to the United States in the forms of the California Consumer Privacy Act (CCPA) and similar state-specific data privacy and protection requirements. The NIST Privacy Framework has been anticipated to play a similar role to the CSF as a voluntary gold standard that public and private information systems, including federal agencies, can use in varying degrees of implementation. Further, the value proposition of a gold-standard privacy framework, as the CSF is to information security, is that it helps regulatory bodies develop requirements based on that framework.
Similarities Between The CSF and Privacy Framework
In my webinar examining the interplay between NIST’s three main frameworks: the CSF, the NIST Risk Management Framework (RMF), and the Privacy Framework, I discussed how important it would be for the new Privacy Framework to connect to the CSF. As we’ve explored before here, data privacy and data security are inextricably connected - while security can exist without regard for privacy, data privacy cannot exist without regard for security. As she discussed at the NIST Cyber Risk Management Conference in November, Naomi Lefkovitz, privacy engineering program head at NIST, spoke about how NIST looks at security and privacy as a Venn diagram and that idea was embodied in the working draft. I was heartened to see that the Privacy Framework did in fact interplay with the CSF quite well.
The CSF relies on five core functions - identity, detect, protect, respond, and recover - as the foundation for the framework. The Privacy Framework takes a similar approach using five functions as well. Two of the privacy functions are net new but related--Control and Inform--and three are taken directly from the CSF:
Alongside these key indicators, the working draft explicitly says that the CSF can be leveraged to support the new Privacy Framework. From working as a consultant and building the CyberStrong platform, I can see specifically that the CSF can ingest the two new functions: control and inform.
The Rise of Privacy Risk Assessments?
A very interesting point I found in the working draft was the reference to a privacy risk assessment. In fact, it was a hallmark of the working draft. It is a very interesting point - understanding the potential conflicts around privacy through a risk assessment. Examining Naomi’s Venn diagram analogy further, a privacy risk assessment seems to be about striking a balance between protection and the use of personally identifying information (PII). In the case of conducting risk assessments, both for managing cybersecurity risk as well as privacy risk, it becomes all the more paramount to ensure harmony between cybersecurity and privacy frameworks to extend the life cycle of your organization.
Key Points For the Privacy Framework Moving Forward
For me, the issue of creating and strengthening a privacy framework is key, but going forward the real issue will be around harmonizing multiple standards and activities, and getting the whole organization on board with that. The greatest challenge that our users (and the industry as a whole) is facing is the patchwork of regulations both regarding security and privacy. From a foundational perspective, the outcome-based approach of the NIST CSF has been the primary factor for many regulations being built using the framework. In the case of the Privacy Framework, it is almost a race against the clock. The industry needs a similar foundational framework that practitioners can adopt for privacy.
Going even further, I’m very excited for the system developments that we’re working on within the CyberStrong platform for advanced crosswalking that goes beyond the UCF for both privacy and cybersecurity frameworks. As more and more regulations emerge, the ability to adopt a standard like the CSF or SP 800-53 and then benchmark against industry-specific requirements like HIPAA or PCI will become all the more important. Similarly, the NIST Privacy Framework can be that same foundation for privacy, security, and risk management. Using CyberStrong will allow you to project into more specific frameworks like GDPR and CCPA. In all, I applaud the exciting work that NIST put into the draft and am excited to see the Privacy Framework evolve.