NIST Privacy Framework

The NIST Privacy Framework

by John Bandler

The NIST Privacy Framework (CSF) is valuable guidance for organizations on privacy, free to access and use, created by lots of smart people, paid for with U.S. tax dollars. It is voluntary guidance organizations may choose to follow, adapt, or disregard.

If you are looking for a comprehensive privacy framework, this is the first option to consider. It is reliable, credible, and totally free to access via the internet, without any fee, registration, or licensing agreement.

What is privacy?

I explain that in my article on privacy, but one concept is the "right to be left alone".

There are four main areas of privacy:

• Information privacy (data privacy)
• Communications privacy
• Territorial privacy
• Bodily privacy.

Our focus is data privacy (information privacy). Organizations hold vast troves of consumer data, which is valuable for marketing, advertising, and for cybercriminals and identity thieves.

Many expanding laws have imposed legal requirements surrounding privacy, and provide rights to consumers.

These laws may impose requirements that organizations have privacy programs, respect individual privacy choices, and protect it from cybercrime (e.g. data breach).

What is a framework?

A framework is simply guidance, or "best practices".

"Cybersecurity frameworks" is a common term and there are many of them out there, detailed guidance on how to manage cybersecurity and information security. Now we have a privacy framework.

I put these frameworks in the category of "external guidance" meaning they are voluntary guidance that come from outside the organization. Voluntary means organizations may choose to follow, adapt, or disregard. (See my link about external guidance later, within the context of my Five Components for Policy Work).

Again, this privacy framework is a suggested best practice. It is not mandatory, it is a voluntary guide. Privacy (like cybersecurity) is complicated, we cannot expect every organization to reinvent the wheel while securing themselves.

Compare guidance to a laws or regulations which may impose mandatory rules upon the organization (see more about external rules later, another of my Five Components for Policy Work).

NIST is a respected government agency

NIST is the National Institute of Standards and Technology, an agency of the U.S. Department of Commerce. They are funded by our federal tax dollars and do a lot of great work, thanks to many smart and hard working people there, and a comprehensive process for building, revising, and finalizing their documents.

Again the NIST frameworks are created and maintained by good government people working through a deliberative process, paid for with tax dollars and made publicly available at no cost and with no license agreement.

In contrast, many other frameworks come from for-profit or not-for-profit organizations (and some that blend both types of organizations). Some frameworks cost money to access, and have legal terms about their usage.

NIST makes their cybersecurity framework (and all of their other publications) freely and publicly available. That's amazing. People should take advantage of it. It should be your first stop before considering proprietary frameworks.

Who is the NIST privacy framework for?

The NIST privacy framework (CSF) can be applied to any organization, of any type.

That said, it is generally geared for readers with a high degree of privacy knowledge and cybersecurity knowledge. Just take a look at some of the categories and then their descriptions, and see what the learning curve might be for you.

History of the NIST Privacy Framework

NIST has been creating information security related frameworks for decades (and lots of other voluntary standards for other areas).

Their Cybersecurity Framework (CSF) is well respected and well used. With privacy an increasing concern and legal requirement, NIST saw the need and took on the challenge to create a framework for privacy, and they worked to make it interoperable with the CSF.

Here's the chronology:

• NIST Privacy Framework Version 1.0 was published in January 2020, titled "NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management.
• Updates will follow!

Summary of the NIST Privacy Framework v 1.0

The NIST Privacy Framework v 1.0 was released on 1/16/2020 and is organized into five main "functions" of:

• Identify-P
• Govern-P
• Control-P
• Communicate-P
• Protect-P

The "-P" denotes these are part of the privacy framework, rather than the NIST CSF (as they share some of the the function names).

These five functions are further subdivided into 18 categories as follows:

• Identify-P
  • Inventory and Mapping (ID.IM-P)
  • Business Environment (ID.BE-P)
  • Risk Assessment (ID.RA-P)
  • Data Processing Ecosystem Risk Management (ID.DE-P)
• Govern-P
  • Governance Policies, Processes, and Procedures (GV.PO-P)
  • Risk Management Strategy (GV.RM-P)
  • Awareness and Training (GV.AT-P)
  • Monitoring and Review (GV.MT-P)
• Control-P
  • Data Processing Policies, Processes, and Procedures (CT.PO-P)
  • Data Processing Management (CT.DM-P)
  • Disassociated Processing (CT.DP-P)
• Communicate-P
  • Communication Policies, Processes, and Procedures (CM.PO-P)
  • Data Processing Awareness (CM.AW-P)
• Protect-P
  • Data Protection Policies, Processes, and Procedures (PR.PO-P)
  • Identity Management, Authentication, and Access Control (PR.AC-P)
  • Data Security (PR.DS-P)
  • Maintenance (PR.MA-P)
  • Protective Technology (PR.PT-P)

These 18 categories are further broken down into 100 subcategories. You can download the "core" document laying them all out in either PDF or Excel format (links at bottom).

Some functions, categories, and subcategories share similar language with the NIST CSF, some may be identical. Note that the application of these items may be different for privacy compared to cybersecurity (see next).

Privacy vs. Cybersecurity

Privacy and cybersecurity overlap greatly, but there is a distinction (as I lay out in my privacy article). Here's a really simple way to think about it.

• Privacy: protect privacy rights of consumers, especially with their data, including with good cybersecurity for that data.
• Cybersecurity and cybercrime prevention: protect the entire organization from cybercrime, including by protecting that consumer data.

As I tackle each of these areas with clients, the Five Components for Policy Work serves us well, plus principles of good management and good decision making. We focus on:

• Mission of organization
• Protect
• Comply.

NIST CSF links and references

Let me walk you through some of the links.

Remember that you can find it all through the NIST landing page and website. They have organized it well.

I have bolded the most important webpages.

National Institute of Standards and Technology (NIST) resources

• NIST Privacy Framework landing page, https://www.nist.gov/privacy-framework
• NIST Privacy Framework v 1.0, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.01162020.pdf
• Resource repository, https://www.nist.gov/privacy-framework/resource-repository
• Getting started, https://www.nist.gov/privacy-framework/getting-started-0
• Roadmap (landing page), https://www.nist.gov/privacy-framework/roadmap
• Roadmap (PDF), https://www.nist.gov/document/nist-privacy-framework-roadmap-v10
• Privacy framework core (PDF), https://www.nist.gov/system/files/documents/2021/05/05/NIST-Privacy-Framework-V1.0-Core-PDF.pdf
• Privacy framework core (XLSX), https://www.nist.gov/document/nist-privacy-framework-v10-core
• Privacy framework core (online), https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/PF_1_0_0/home
• Resource repository, https://www.nist.gov/privacy-framework/resource-repository
• FAQ, https://www.nist.gov/privacy-framework/frequently-asked-questions

NIST has other frameworks and guidance too

NIST has many publications, many of which could be called "frameworks". Many relate to cybersecurity, and I cover that in my other article.

Again, all of the NIST frameworks are publicly available and easily downloadable for free, without any registration. So thank you to the U.S. Government (and tax dollars) for that.

Conclusion

The NIST privacy framework is external guidance (not a law or regulation). That said, it might help you comply with the ever expanding array of privacy related laws and regulations.

NIST publications are freely available thanks to the U.S. Government and our tax dollars, so take full advantage of that.

This is not legal advice nor consulting advice, and is not tailored to your circumstances.

Additional reading

• NIST Privacy Framework v 1.0, (full title: NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, v 1.0), available through main site https://www.nist.gov/privacy-framework and at https://www.nist.gov/system/files/documents/2020/01/16/NIST%20Privacy%20Framework_V1.0.pdf
• Federal Trade Commission (FTC) https://www.ftc.gov/
  • FTC Consumer Privacy landing page: https://www.ftc.gov/business-guidance/privacy-security/consumer-privacy
• International Association of Privacy Professionals (IAPP) https://iapp.org/  (they offer many free resources through their website, though membership is required for some. I am pleased to have their CIPP/US certification, Certified Information Privacy Professional)
• External Guidance
• Cybersecurity Frameworks and Guidance
• Five Components for Policy Work
• Policies and Procedures Book

This article is hosted at https://johnbandler.com/nist-privacy-framework. Copyright John Bandler, all rights reserved.

Posted 7/11/2024. Updated 7/12/2024.