NIST seeks comment on privacy framework

code scan (Titima Ongkantong/ 

The National Institute for Standards and Technology has opened up the newest draft of its Privacy Framework to public comment.

The latest version carries a number of notable additions, such as increased flexibility for organizations to choose different requirements based on their privacy outcomes and a concerted effort to "structurally and conceptually" align NIST's privacy and cybersecurity guidance to agencies and organizations.

"A checklist-based approach might make you overinvest in less effective privacy solutions for your situation or underinvest in the ones that would give you the most privacy benefit," NIST's Senior Privacy Advisor Naomi Lefkovitz said in a statement. "The framework is designed to help your organization recognize and then address its own potentially unique situation."

The draft document has already been subject to multiple rounds of public feedback through workshops, webinars and a Request for Information, and the organization will be accepting additional input on the draft through October and hold another public webinar on Sept. 17.

For this round, NIST is asking for input on a range of aspects related to the framework, such as whether it adequately defines the relationship between privacy and security, enables cost effective implementation and whether it will be relevant to the glut of IoT devices and artificial intelligence products likely to hit the market over the next few decades.

The framework is currently built around three sections: outlining a core set of recommended privacy protections and activities, a blueprint for developing organizational to that outline current privacy practices and desired outcomes, and implementation tiers to help organizations match newer activities with their current technological maturity.

Previous feedback indicated that certain sections, like the core, would need to be less rigidly prescriptive and more flexible to organizations with different missions, priorities and IT maturity.

"Although the views were pretty evenly split on the Core options, stakeholders felt strongly about their preferences because they reflected how closely their organizations collaborated on privacy and cybersecurity, and the maturity of their privacy programs," wrote Lefkowitz in an associated blog. "These reasons told us that we should design the Core to meet organizations where they are today and provide the flexibility to allow them to 'choose their own adventure' when it comes to using both frameworks."

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at [email protected], or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


  • Defense
    concept image of radio communication (DARPA)

    What to look for in DOD's coming spectrum strategy

    Interoperability, integration and JADC2 are likely to figure into an updated electromagnetic spectrum strategy expected soon from the Department of Defense.

  • FCW Perspectives
    data funnel (anttoniart/

    Real-world data management

    The pandemic has put new demands on data teams, but old obstacles are still hindering agency efforts.

Stay Connected