Back

NIST Privacy Risk Framework 1.0 Released

NIST has released Version 1.0 of its privacy risk framework. The draft version of the NIST Privacy Risk Framework was released for comment in September 2019. Further, the present version incorporates the feedback and provides guidance for organizations...

5 min read
Published on Jan 28, 2020
NIST Privacy Risk Framework 1.0 Released

NIST has released Version 1.0 of its privacy risk framework. The draft version of the NIST Privacy Risk Framework was released for comment in September 2019. Further, the present version incorporates the feedback and provides guidance for organizations working to improve their practices.

It’s complementary to the NIST Cybersecurity Framework. Security and privacy are closely related, but having secure data doesn’t necessarily mean privacy is being appropriately guarded. Privacy depends on information handling policies and safeguards as well as technical protection.

The framework isn’t a legally binding regulation or even a standard to comply with. Rather, it’s a way of organizing the issues that need addressing and measuring progress with them. It helps evaluate and document compliance with privacy requirements and standards such as the ones in GDPR, HIPAA, and CCPA.

Naomi Lefkovitz, the leader of the framework effort, said in its announcement that “you need a framework for privacy risk management, not just a checklist of tasks. You need an approach that allows you to continually reevaluate and adjust to new risks.”

Overview of the NIST Privacy Risk Framework

The framework consists of three main components: the core, profiles, and implementation tiers.

The core of the framework defines a set of activities and outcomes, aimed at talking clearly and consistently about privacy risk. They are defined at three levels: functions, categories, and subcategories. They aren’t intended as a checklist, but rather as ongoing processes for achieving what is often a moving target.

Profiles are sets of functions, categories, and subcategories that fit an organization’s priorities. They let the organization describe its current state of privacy management and compare it with where they want to be.

Implementation tiers measure the level of privacy risk awareness and management under a profile. There are four tiers, characterized by increasing levels of awareness and adaptability. Not everyone needs to reach the highest tier, but organizations should know what they’ve achieved and would like to achieve.

The Framework Core

At the highest level, the core of the NIST Privacy Risk Framework defines five functions, all named with the suffix “P”. In fact, this letter aids in distinguishing them from functions in the Cybersecurity Framework and elsewhere.

Identify-P: Developing organizational understanding. It includes taking an inventory of data processing practices, understanding what privacy interests are involved, and conducting risk assessments.

Govern-P: Setting up governance policies related to privacy. The approach to governance needs to consider regulatory requirements and the acceptable level of risk tolerance.

Control-P: Setting up data management activities to handle privacy risks. Indeed, these activities apply to the organizational level and to individuals who handle data.

Communicate-P: Developing and implementing activities supporting communications on how data is processed and what the privacy risks are.

Protect-P: Setting up data processing safeguards for privacy. Further, this function deals with the intersection of privacy and cybersecurity.

Categories subdivide functions into groups of privacy outcomes. Subcategories relate to specific technical and management activities. The subcategories provide the most concrete guidance for achieving the goals defined in a profile.

Profiles

NIST Privacy Risk Framework 1.0 Released The core defines an all-purpose set of goals that an organization may pursue. However, privacy requirements will differ greatly among organizations, and each one needs to determine its priorities. The framework offers profiles as a tool for identifying an organization’s privacy requirements, assessing its current status, and creating a path to where it needs to be.

At least two profiles are necessary. An organization’s current profile describes its present state, using the measures defined in the core. It describes the measures which are in place to the extent that they’re identifiable. Further, the target profile defines where the organization should be. Comparing the two helps to figure out what needs to be done. Any effort at change requires allocating resources, and putting the current and target profiles side by side helps to determine what will be needed.

A large organization may need multiple current and target profiles for its branches and departments. An HR department has different privacy requirements from health service, even if both are under the same top management.

The creators of the NIST framework decided not to offer any profile templates. Indeed, there are just too many different scenarios to reduce to a manageable set of prototypes.

Implementation Tiers

Privacy practices vary not just in their goals but also in the level of detail and agility in pursuing them. Not everything needs the same degree of focus. The NIST Privacy Risk Framework defines four implementation tiers: Partial: The practices aren’t well formalized and understood. The implementation may be largely ad hoc. This is a risky approach if there’s any private information to protect.

Risk informed: People in the organization understand the issues and are taking some appropriate actions, but high-level coordination is limited. This may be sufficient if the privacy risks aren’t high.

Repeatable: Formal policies and an organization-wide approach to direct privacy management. Privacy specialists handle key issues, and the entire workforce gets training. The organization understands its role in external interactions.

Adaptive: In addition to the Tier 3 activities, the organization adapts its practices to changing needs, and privacy considerations are incorporated into all decision-making processes.

Implementation tiers specify the level of effort that a profile entails. The appropriate tier for a profile depends on factors such as regulatory requirements, the sensitivity of the information, and the organization’s acceptable risk level.

The Role of the Nist Privacy Risk Framework

The point of the NIST Privacy Risk Framework is to help organizations categorize their goals and achievements in protecting privacy. It’s not a tool for calculating a security score, though it could help in designing such tools. It doesn’t prescribe paths, but rather gives a way to describe whatever paths are appropriate and measure their progress. It obtains a broad picture of how information is protected when used with the Cybersecurity Framework.

There are many standards that enumerate specific requirements for protecting privacy. This framework can be useful in achieving compliance with any of them. We can help with achieving your privacy and security goals, including CCPA compliance using Microsoft 365. Thus, to find out more, all you have to do is schedule a call with us.

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

Related Posts

Common Questions About Azure Migration Answered

Common Questions About Azure Migration Answered

Get answers to the most common Azure migration questions. Learn about costs, best practices, security, compliance, and troubleshooting cloud migration challenges.

Apr 29, 2025
3 min read
AVD vs W365 in GCC high reducing your CMMC scope

AVD vs W365 in GCC High Reducing Your CMMC Scope and Simplifying Compliance

Comparing AVD vs W365 for GCC High? Learn how each can reduce your CMMC assessment scope and simplify security and compliance management in government environments.

Apr 28, 2025
7 min read
Office 365 License Comparison: Business Plans Vs. E5, E3 and E1

Implementing Cybersecurity Policies for CMMC Compliance and Managing CUI

CMMC compliance requires well-documented cybersecurity policies. Learn how to implement security controls, create an SSP and POA&M, and manage Controlled Unclassified Information (CUI).

Apr 25, 2025
7 min read
CMMC compliance for DoD contractors

CMMC Compliance Requirements for DoD Contractors and Subcontractors in the Defense Industry

CMMC compliance is mandatory for DoD contractors and subcontractors. Learn about certification levels, requirements, and the consequences of failing to meet compliance.

Apr 24, 2025
6 min read
How to prepare for a CMMC compliance audit

CMMC Compliance Audit Preparation: A Complete Checklist for Small Businesses

Preparing for a CMMC compliance audit is critical for DoD contractors. Use this checklist to perform a gap analysis, assess CMMC readiness, and prepare for a Level 2 assessment.

Apr 23, 2025
8 min read
FAR CUI vs CMMC Understanding

FAR CUI vs CMMC Understanding the Differences and Overlaps

FAR CUI and CMMC both focus on protecting sensitive federal data, but they have key differences. Learn how they work together and whether FAR CUI compliance aligns with CMMC.

Apr 15, 2025
10 min read

Ready to Secure and Defend Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Secure. Defend. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

Secure. Defend. Thrive.

Don't want to wait for us to get back to you?

Discover more about Agile IT's range of services by reaching out

Schedule a Free Consultation