NIST seeks comment on privacy framework

code scan (Titima Ongkantong/ 

The National Institute for Standards and Technology has opened up the newest draft of its Privacy Framework to public comment.

The latest version carries a number of notable additions, such as increased flexibility for organizations to choose different requirements based on their privacy outcomes and a concerted effort to "structurally and conceptually" align NIST's privacy and cybersecurity guidance to agencies and organizations.

"A checklist-based approach might make you overinvest in less effective privacy solutions for your situation or underinvest in the ones that would give you the most privacy benefit," NIST's Senior Privacy Advisor Naomi Lefkovitz said in a statement. "The framework is designed to help your organization recognize and then address its own potentially unique situation."

The draft document has already been subject to multiple rounds of public feedback through workshops, webinars and a Request for Information, and the organization will be accepting additional input on the draft through October and hold another public webinar on Sept. 17.

For this round, NIST is asking for input on a range of aspects related to the framework, such as whether it adequately defines the relationship between privacy and security, enables cost effective implementation and whether it will be relevant to the glut of IoT devices and artificial intelligence products likely to hit the market over the next few decades.

The framework is currently built around three sections: outlining a core set of recommended privacy protections and activities, a blueprint for developing organizational to that outline current privacy practices and desired outcomes, and implementation tiers to help organizations match newer activities with their current technological maturity.

Previous feedback indicated that certain sections, like the core, would need to be less rigidly prescriptive and more flexible to organizations with different missions, priorities and IT maturity.

"Although the views were pretty evenly split on the Core options, stakeholders felt strongly about their preferences because they reflected how closely their organizations collaborated on privacy and cybersecurity, and the maturity of their privacy programs," wrote Lefkowitz in an associated blog. "These reasons told us that we should design the Core to meet organizations where they are today and provide the flexibility to allow them to 'choose their own adventure' when it comes to using both frameworks."

About the Author

Derek B. Johnson is a former senior staff writer at FCW.


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected