The National Institute of Standards and Technology (NIST) has released a draft update to the NIST Privacy Framework. The draft release, NIST Privacy Framework 1.1 Initial Public Draft, is designed to help organizations manage privacy risks associated with personal data flowing through complex information technology systems, according to a news release from NIST on April 14.
Changes to the Privacy Framework (PFW) are needed partly because of its relationship to the widely used NIST Cybersecurity Framework (CSF), which was updated in February 2024. Privacy risk is closely related to cybersecurity risk. Because of this, the two frameworks have the same high-level structure, which, according to the NIST, makes them easy to use together.
In particular, one element shared by both frameworks is the “Core,” a granular set of activities and outcomes that can help organizations manage risk. The PFW 1.1 Public Draft Core is realigned with the CSF 2.0 Core in many places, making it more user-friendly.
Other key changes to the draft include a new section on artificial intelligence (AI) and privacy risk management, as well as the relocation of the PFW’s use guidelines to the web.
“The PFW can be used on its own to manage privacy risks, but we have also maintained its compatibility with CSF 2.0 so that organizations can use them together to manage the full spectrum of privacy and cybersecurity risks,” NIST’s Julie Chua, director of NIST’s Applied Cybersecurity Division, said in a statement.
NIST accepts public comments on the draft until June 13, 2025.
