NIST Privacy Framework receives draft update

The National Institute of Standards and Technology, or NIST, released a draft update of the NIST Privacy Framework to improve its usability and better align the document with the NIST Cybersecurity Framework. This marks the first update to the NIST Privacy Framework, or PWF, since the release of version 1.0 in January 2020.  

The version 1.1 draft contains revisions to the PWF's core structure and content, as well as new additions surrounding AI and privacy risk management. The draft follows the same structure as version 2.0 of NIST's Cybersecurity Framework, or CSF, which was released in March 2024. The version 2.0 release was the CSF's first major update in a decade.  

Like the CSF 2.0, the PWF 1.1 consists of three components: core, organizational profiles and tiers. Organizations can use the two frameworks together to facilitate better privacy and security practices.

What's more, the framework is not specific to any particular sector or technology.

Rather, it allows organizations to adopt a flexible approach to managing privacy risks by communicating their privacy practices, adopting a privacy-first approach to designing systems and encouraging cross-organizational collaboration.

The revisions to the core section of the document, which generally aims to enable dialogue about privacy practices and their desired outcomes, focus on maintaining alignment with the risk management (govern function) and the cybersecurity safeguards (protect function) of the CSF 2.0.

Additionally, NIST added a new section about AI and privacy risk management, since the initial document was released before chatbots were widely used. The PFW 1.1 explores the relation between AI and privacy risks and how stakeholders can use the framework to address these risks.

NIST also restructured some sections of the document to make NIST's guide to using the PFW available online rather than within the document. The guidance's new online home will allow NIST to provide timely updates and quickly respond to stakeholder needs.

Recent updates to both the PFW and the CSF can help organizations better manage privacy and cybersecurity risks, especially as they relate to emerging technologies.

“This is a modest but significant update,” said Julie Chua, director of NIST’s Applied Cybersecurity Division, in a statement.

“The PFW can be used on its own to manage privacy risks, but we have also maintained its compatibility with CSF 2.0 so that organizations can use them together to manage the full spectrum of privacy and cybersecurity risks.”

NIST is seeking feedback on the draft of version 1.1 of the PWF until June 13, 2025.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.