NIST seeks comment on privacy framework

The National Institute for Standards and Technology has opened up the newest draft of its Privacy Framework to public comment.

The latest version carries a number of notable additions, such as increased flexibility for organizations to choose different requirements based on their privacy outcomes and a concerted effort to "structurally and conceptually" align NIST's privacy and cybersecurity guidance to agencies and organizations.

"A checklist-based approach might make you overinvest in less effective privacy solutions for your situation or underinvest in the ones that would give you the most privacy benefit," NIST's Senior Privacy Advisor Naomi Lefkovitz said in a statement. "The framework is designed to help your organization recognize and then address its own potentially unique situation."

The draft document has already been subject to multiple rounds of public feedback through workshops, webinars and a Request for Information, and the organization will be accepting additional input on the draft through October and hold another public webinar on Sept. 17.

For this round, NIST is asking for input on a range of aspects related to the framework, such as whether it adequately defines the relationship between privacy and security, enables cost effective implementation and whether it will be relevant to the glut of IoT devices and artificial intelligence products likely to hit the market over the next few decades.

The framework is currently built around three sections: outlining a core set of recommended privacy protections and activities, a blueprint for developing organizational to that outline current privacy practices and desired outcomes, and implementation tiers to help organizations match newer activities with their current technological maturity.

Previous feedback indicated that certain sections, like the core, would need to be less rigidly prescriptive and more flexible to organizations with different missions, priorities and IT maturity.

"Although the views were pretty evenly split on the Core options, stakeholders felt strongly about their preferences because they reflected how closely their organizations collaborated on privacy and cybersecurity, and the maturity of their privacy programs," wrote Lefkowitz in an associated blog. "These reasons told us that we should design the Core to meet organizations where they are today and provide the flexibility to allow them to 'choose their own adventure' when it comes to using both frameworks."