The National Institute of Standards and Technology (NIST) announced it is looking to update its Privacy Framework to Version 1.1, four years after the release of its original framework in January 2020.
The initial document, The NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, Version 1.0, has helped numerous organizations to improve their privacy programs. However, NIST said it wants to update the framework to reflect recent IT developments, including the release of NIST’s AI Risk Management Framework (AI RMF) and the start of an update to NIST’s Cybersecurity Framework (CSF), Version 2.0.
“The Privacy Framework is a ‘living’ tool meant to evolve to meet stakeholder needs, and the time has come to update to Version 1.1,” Dylan Gilbert, a privacy policy advisor with the Privacy Engineering Program at NIST, wrote in a Jan. 25 blog post. “The initial version was modeled upon the CSF so that the two frameworks could be used together more easily. We want to maintain the connection by making appropriate adjustments based on CSF 2.0 changes.”
“In addition, stakeholders have had a few years to use the Privacy Framework and have identified areas where targeted improvements can be made,” Gilbert added. “This year, we intend to implement a modest update to the Privacy Framework to support realignment with CSF 2.0, facilitate ease and effectiveness of use, and ensure the tool is responsive to current privacy risk management needs.”
NIST said its stakeholders are looking for more resources to use its frameworks and resources in privacy, cybersecurity, AI, and the Internet of Things (IoT) together. In developing the new framework, the agency said it wants to develop “a joint Profile for data governance” to effectively show how to use these frameworks and resources together.
The profile “could take many forms,” Gilbert said, such as a flow chart or a crosswalk among various NIST Framework subcategories. Ultimately, the agency wants feedback on the idea and said it will develop the profile in coordination with stakeholders.
NIST is planning to host a workshop in the second quarter of 2024, and then release initial public drafts of the Privacy Framework 1.1 and Profile in the third quarter.
The request for comments deadline will be in the fourth quarter of 2024, as well as another optional workshop. In the first quarter of 2025, NIST hopes to officially release the Privacy Framework 1.1 and profile.
“As our planning progresses, we will update the development schedule on our New Projects webpage with specific dates,” Gilbert said. “Given that the Privacy Framework update and Data Governance Profile development coincide with the finalization of our Privacy Workforce Taxonomy, we intend to align all three workstreams where practicable.”
In the meantime, the public is invited to share their input on the new initiatives by emailing privacyframework@nist.gov.