Draft Update to NIST Privacy Framework Released

NIST released a draft update to the NIST Privacy Framework (NIST PF). Updates to the NIST PF were designed to make it easier for organizations to use it in conjunction with the NIST Cybersecurity Framework (NIST CSF), which was updated in 2024. The updates were also drafted to address current privacy risk management needs and improve usability.

First released in 2020, the NIST PF was developed to help organizations comply with various privacy obligations while also protecting individual privacy through the use of five core functions:

• Identify – Develop the organizational understanding to manage privacy risk for individuals arising from data processing.
• Govern – Develop and implement an organizational governance structure to ensure an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk.
• Control – Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks.
• Communicate – Develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding and engage in a dialogue about how data is processed and associated privacy risks.
• Protect – Develop and implement appropriate data processing safeguards.

NIST Privacy Framework and NIST CSF Overlap

Because privacy risk and cybersecurity risk share many similarities, the NIST PF and NIST CSF have the same high-level structure to make them easy to use together. One element found in both frameworks is the “Core,” an increasingly granular set of activities and outcomes that can help organizations discuss risk management. The PF 1.1 Public Draft Core is realigned with the CSF 2.0 Core in many places.

“This is a modest but significant update,” said NIST’s Julie Chua, director of NIST’s Applied Cybersecurity Division. “The PF can be used on its own to manage privacy risks, but we have also maintained its compatibility with CSF 2.0 so that organizations can use them together to manage the full spectrum of privacy and cybersecurity risks.”

What’s New in NIST PF 1.1

Notable changes in PF 1.1’s draft update include:

• Targeted revisions to the Core section: The PF’s draft update makes targeted changes to its core structure and content. Some changes maintain alignment with CSF 2.0, with a focus on the Govern Function (i.e., risk management strategy and policies) and the Protect Function (i.e., privacy and cybersecurity safeguards). Other changes make improvements in response to stakeholder feedback gathered over the past five years through channels such as the NIST Privacy Workforce Public Working Group.
• A new section on AI and privacy risk management: The initial version of the PF appeared before the use of AI tools such as chatbots became widespread. The draft PF’s Section 1.2.2 briefly outlines ways that AI and privacy risks relate to one another and how PF 1.1 can be used to manage AI privacy risks.
• A relocation of the PF’s use guidelines to the web: A guide to using the PF is now available on the web, rather than in its former location in Section 3. The online material has been structured as an interactive FAQ page intended to allow users to find answers quickly. Keeping this section online will also enable timely updates in response to user needs.

NIST is accepting public comments on the draft until June 13, 2025. Comments can be emailed to privacyframework@nist.gov. A template for submitting comments can be found at the NIST Privacy Framework website. After the comment period, NIST will consider additional changes and release a final version later this calendar year.

CompliancePoint has a team of privacy professionals that can help your organization design and implement a privacy program that complies with the GDPR, CCPA, and all state privacy laws. Contact us at connect@compliancepoint.com to learn more about our services.