Privacy Framework: NIST is in the House.

keyboard with the word framework replacing the enter buttonThis month, NIST kicked off a series of public meetings to highlight its efforts to create a voluntary Privacy Framework. Much in the same way it developed the Cybersecurity Framework, NIST is trying to achieve a technology-privacy balance within the guidance by crowdsourcing its way there.  By bringing in views from federal agencies, small businesses, big tech, innovators, lawyers, consultants, industry groups, all levels of technology users (including the most vulnerable), and others, NIST aims to develop;

a voluntary privacy framework as an enterprise risk management tool for organizations” using a “forward-thinking approach that support innovation and strong consumer privacy protections.”

NIST FACT SHEET (September 2018).

NIST is taking the lead, while

On September 24, 2018, the Brookings Institute of Washington, DC hosted one of the first public forums to discuss the way ahead.  General consensus was that the timing is right for a NIST privacy framework. NIST is undoubtably capable of creating frameworks that are robust and flexible at the same time.  However, we all know the devil will be in the details.

Some challenging questions that are being considered:

  • What are the optimal security controls with respect to privacy?
  • How will the framework reflect the reality that privacy has political and legal undertones, and organizations are already building privacy programs that need to comply with different state and national laws?
  • How will NIST deal with the value judgement part of building privacy standards? (Who are we protecting and why?)

Regarding privacy-related security controls, the discussion touched on the fact that NIST is really good at crafting science-based, technology-aware, concrete controls.  In fact, NIST already has a significant amount of guidance that incorporates privacy considerations into information security guidance:

NIST guidance roadmap

For example, in May 2018, NIST put out a draft update to its Risk Management Framework (RMF), which is widely used in the DoD and intelligence community, that incorporates privacy considerations.  A final draft is expected in October 2018.

Also, NISTIR 8062 “An Introduction to Privacy Engineering and Risk Management in Federal Systems” is particularly relevant to the issue of privacy by design.

When the discussion turned to the challenge of creating a voluntary framework amid the flood of mandatory privacy laws, heads started to nod.  According to the National Conference of State Legislators, there are over 40 U.S. laws on privacy, including laws on

  • Consumer Data Privacy
  • Children’s Online Privacy
  • e-Reader/ Library Privacy
  • Privacy Policies and Practices for Websites or Online Services
  • Privacy of Personal Information Held by Internet Service Providers
  • False and Misleading Statements in Website Privacy Policies
  • Notice of Monitoring of Employee E-mail Communications and Internet Access; and
  • At least 17 states require their state governments to establish privacy policies and procedures.

California, in particular, has a noteworthy amount of consumer privacy laws for California residents,  including the newsworthy California Consumer Privacy Act of 2018.

Globally, governments are enacting new data protection and privacy laws at a rapid pace.  Aside from the EU’s General Data Protection Regulation (GDPR), there are new schemes from China, Brazil, India and others.

So yes, the timing is right. NIST’s draft privacy framework (for public comment) is coming soon.  We’ll be watching!

To learn more about NIST’s effort, visit To talk to Sera-Brynn about how privacy considerations can be incorporated into your organization’s information security program and its risk-based decision-making, contact us at

View Sera-Brynn