NIST updates Privacy Framework to better align with new Cybersecurity Framework

In biometrics and digital identity discussions, privacy and security are often grouped together in theory – though less so in practice, wherein silos remain a challenge. How can data be used responsibly to improve life while truly maintaining individual digital privacy and keeping personal data secure?

The U.S. National Institute of Standards and Technology (NIST) says it has updated its Privacy Framework in an effort to bring privacy and security into closer alignment. A release from NIST says a draft of the updated Privacy Framework is “intended to address current privacy risk management needs, maintain alignment with NIST’s recently updated Cybersecurity Framework, and improve usability.”

Privacy risk is closely related to, and often overlaps with, cybersecurity risk, says NIST.  “Because of this, the two frameworks have the same high-level structure to make them easy to use together.”

The Cybersecurity Framework (CSF) was updated in February 2024. That update included a feature shared with the new Privacy Framework (PFW): tweaks to the “Core” – “an increasingly granular set of activities and outcomes that can help organizations discuss risk management.”

New framework addresses overlap with AI, simplifies UX

The PFW 1.1 Public Draft Core includes changes to structure and content, partly in response to feedback gathered through public channels. A new section on AI and privacy risk management “briefly outlines ways that AI and privacy risks relate to one another and how PFW 1.1 can be used to manage AI privacy risks.” And changes to use guidelines make them easier to access and use.

All of the updates aim to align the PFW more closely with the CSF 2.0, to help organizations manage privacy risks involved in processing personal data through complex information systems.

Julie Chua, director of NIST’s Applied Cybersecurity Division, calls it a “modest but significant” update. “The PFW can be used on its own to manage privacy risks, but we have also maintained its compatibility with CSF 2.0 so that organizations can use them together to manage the full spectrum of privacy and cybersecurity risks,” Chua says.

NIST is accepting public feedback on PFW 1.1 Initial Public Draft until June 13, 2025, via privacyframework@nist.gov. A template for submitting comments can be found at the NIST Privacy Framework website.  A final version of the revised PFW is expected later in 2025.

Article Topics

cybersecurity  |  data privacy  |  digital identity  |  NIST  |  NIST Cybersecurity Framework  |  U.S. Government