NIST has released a draft update to its Privacy Framework to address concerns around AI, cybersecurity, and privacy risks.
What happened
The National Institute of Standards and Technology (NIST) has released a draft update to its Privacy Framework, marking the first revision since its original release in 2020. The updated version, now labeled Version 1.1, is designed to better align with the recently updated NIST Cybersecurity Framework (CSF 2.0) and respond to emerging privacy risks, particularly those introduced by AI and chatbot technologies.
Going deeper
The NIST Privacy Framework provides voluntary guidance for organizations looking to manage privacy risks using enterprise-level strategies. Like the Cybersecurity Framework, it includes three main sections: Core (which outlines specific privacy activities), Profiles (used to prioritize those activities), and Implementation Tiers (to help allocate resources effectively).
Version 1.1 incorporates structural updates to better match CSF 2.0, especially in the Govern and Protect Functions, making it easier for organizations to manage cybersecurity and privacy risks together. One of the most significant updates is the new guidance on privacy challenges linked to artificial intelligence and automated tools, topics that were not major concerns when the original framework was introduced.
Usability improvements were also made. NIST has moved usage guidelines from the document to a newly developed interactive FAQ section on its website. This change allows the agency to make real-time updates based on user needs without waiting for another full framework release.
What was said
NIST stated that the Privacy Framework can be used independently or in tandem with the CSF. Both frameworks now share a high-level structure, simplifying integrated use for organizations seeking to manage cybersecurity and privacy holistically. NIST is actively seeking feedback from the public on the draft update, with a comment period open until June 13, 2025.
FAQs
What is the goal of the NIST Privacy Framework?
The goal is to help organizations identify, assess, and manage privacy risks in a structured and scalable way, tailored to their specific operations and regulatory needs.
Is the Privacy Framework legally required?
No, the framework is voluntary and intended as a best-practice guide. However, many organizations use it to align with privacy laws and demonstrate accountability.
How does the framework support AI governance?
The updated version includes specific guidance to help organizations assess and mitigate privacy risks introduced by artificial intelligence and automated decision-making tools.
Can small businesses use the Privacy Framework?
Yes, the framework is designed to be flexible and scalable, making it suitable for organizations of any size or sector.
Where can feedback on the draft update be submitted?
Feedback can be submitted through the official NIST Privacy Framework website before the public comment period ends on June 13, 2025.
Farah Amod
