A new U.S. privacy framework is quickly approaching completion. The National Institute of Standards and Technology, which holds the drafting pen, is encouraging stakeholders to share their feedback soon.
Since last October, NIST has been working to develop its Privacy Framework to help organizations identify, internalize and address privacy risk. The framework presents the building blocks of a comprehensive data management program that can be implemented across an organization. NIST aims to bridge the legal/IT divide.
They seem to be succeeding.
On July 8 and 9, NIST presented its latest draft of the framework during a workshop in Boise, Idaho, and solicited feedback from participants. Throughout the two-day event, both technically and legally oriented privacy professionals engaged in extensive discussion. The framework has evolved considerably during the now-10-month old consultation process, demonstrating that NIST is serious about taking stakeholder input onboard.
This consultation process, though, will soon end. For those who have not yet focused on this important work, it’s time to key in and share your thoughts. Here’s an overview of where things stand and the timeline moving forward to help.
NIST has asked for any final comments on the latest version by July 18. Comments can be emailed to privacyframework@nist.gov. By summer’s end, NIST plans to release a “preliminary draft” and conduct a formal public comment process. At that stage, all comments received will be posted publicly on the agency’s website. NIST’s Privacy Framework 1.0 is slated to be released by the end of the year.
Structure
As discussed in an earlier article, the framework is broken into several pieces, including the Core, Use Case Profiles, Implementation Tiers, Informative References, a Roadmap, and a Glossary, among other explanatory material. In the latest version, NIST fleshed out four of these components: the Core, Use Case Profiles, the Roadmap and Glossary. They are now nearly complete. In Boise, workshop participants characterized their suggestions as “refinements” noting that there was “not a need for wholesale changes.”
The Core
The heart of the framework is the Core. The Core presents the “Functions, Categories, and Subcategories that describe specific privacy activities that can support managing privacy risks when systems, products, and services are processing data.” In short, it offers the elements of a privacy management program. The framework is not prescriptive. Rather than presenting requirements, it offers technical, legal and structural privacy controls for consideration based on the context in which the organization is operating. These controls will be grouped into either four or six “functions” depending on the feedback NIST receives. These are identify, govern, control, communicate and potentially protect and respond — both more focused on security considerations.
One of the remaining decisions NIST faces is whether the framework offers a “separated Core” or an “integrated Core.”
Stakeholders debated the options during the event in Boise. Participants in earlier workshops expressed concern that the Core’s inclusion of some security controls from NIST’s companion Cybersecurity Framework would cause confusion among organizations that sought to implement the Privacy Framework after deploying the CSF. Others felt that the inclusion of security elements was crucial to any comprehensive privacy program. While the two frameworks are meant to be closely connected and implemented together, both are also designed to stand on their own.
To address the feedback received, NIST presented two options: a separated core excluding all security elements and an integrated core including baseline security controls. In Boise, workshop participants were divided on the best approach, with preferences tipped slightly toward the integrated version. Proponents of the integrated core argued that it was better suited to enhance collaboration across an organization, bringing the security team together with the legal team to discuss shared goals. Those in favor of the separated core felt it better delineated roles within an organization and made clear that the Privacy Framework should be implemented together with the CSF. Some suggested NIST offer both in the final version and let users decide.
The latest version of the framework introduced another structural change to the Core — the addition of “Govern” as a function. The Govern function groups controls related to legal requirements and organizational privacy policies, which had previously been spread among other functions. NIST made this change in response to feedback from the legal community that earlier drafts did not resonate and that governance elements should be elevated. Stakeholders in Boise welcomed the change.
Use Case Profiles
Use Case Profiles, introduced in the latest version, were similarly well received. NIST presented several examples of how organizations of various sizes and types might use the framework. The profiles clarified that an organization need not adopt all controls presented, but rather only those relevant to its business context. The examples also demonstrated how the functions could be divided between different teams within an organization. This highlighted the broad array of organizational stakeholders that could benefit from and use the framework.
The Glossary
The Glossary generated relatively limited debate, with one exception. Participants suggested that defining “data” was too tall an order. They also noted that new terms should generally be avoided.
The Roadmap
The new Roadmap presents a list of future projects NIST could undertake in collaboration with other partners to support continued development and implementation of the framework. These include mechanisms to provide confidence, such as conformity assessment activities, research into emerging technologies, uniform concepts of privacy risk factors, tools for managing re-identification risk, technical standards, and further development of a skilled privacy workforce.
The Privacy Workforce
NIST expressed particular interest in understanding how the privacy workforce might use this new framework and whether organizations have the knowledge and skills necessary to deploy it.
It invited the IAPP along with industry and civil society representatives to present on the topic in Boise. In preparation, an IAPP team assessed how current privacy certifications align with the NIST Framework. We found that the Certified Information Privacy Manager body of knowledge aligns closely with the Integrated Core and that the Certified Information Privacy Technologist covers the more detailed how-to knowledge relevant to the framework’s technical elements.
We presented our findings to stakeholders in Boise and shared a chart comparing the Integrated Core with the CIPM body of knowledge. Our findings suggest that a growing number of privacy professionals are approaching privacy management as NIST envisions and that the forthcoming Privacy Framework could integrate well with organizations’ current privacy programs.
During the workshop, NIST began exploring whether to map the Core to privacy workforce roles, much like the cybersecurity roles outlined in the NICE Framework. This will likely be a key consideration in the months ahead.
A US privacy framework is on the horizon
Once complete, the Privacy Framework will become immediately available for organizations’ use. Like NIST’s Cybersecurity Framework, it will be voluntary, so no Congressional action is needed to make it a reality.
But, the framework’s voluntary nature is no reason to discount its potential impact. Its companion Cybersecurity Framework has become a de facto standard in many circles, as government and private-sector clients increasingly insist that it be implemented by partners and service providers. Participants in NIST’s workshop series expressed hope that the Privacy Framework might enjoy similar uptake, not only in the U.S., but internationally, as well.
Photo by Steve Johnson on Unsplash