The National Institute of Standards and Technology (NIST) has released a draft update to its Privacy Framework (PFW), NIST Privacy Framework 1.1 Initial Public Draft, designed to help organizations derive value from the use of personal data, while also managing privacy risks. The draft is open for public comment until June 13, 2025.
This update aligns the Privacy Framework with the recently revised Cybersecurity Framework (CSF 2.0), incorporates stakeholder feedback, and addresses emerging risks – especially those related to artificial intelligence (AI).
Key Updates in Privacy Framework 1.1
- Alignment with Cybersecurity Framework 2.0
-
- Since privacy and cybersecurity risks often go hand in hand, the updated PFW mirrors the high-level structure of CSF 2.0, enabling seamless, integrated use for organizations managing both types of risks.
-
- The “Core” of the PFW – detailing activities and outcomes that help organizations discuss risk management – has been realigned with CSF 2.0, simplifying risk management processes and improving usability for organizations already familiar with CSF.
- Targeted Revisions to Core Functions
-
- The PFW wheel now features a central “Govern” circle, surrounded by four outer sections: Control, Communicate, Protect, and Identify.
-
- The updates place greater emphasis on the Govern Function (risk management strategy and policies) and the Protect Function (privacy and cybersecurity safeguards).
Credit: N. Hanacek/NIST
- New Section on AI and Privacy Risk Management
-
- The draft PFW’s Section 1.2.2 addresses privacy risks introduced by AI, such as data collection without consent, inference attacks, and bias propagation.
-
- The framework provides guidance on establishing roles, responsibilities, and accountability for AI-related privacy concerns, and recommends integrating privacy controls into the AI lifecycle.
-
- The PFW is designed to work alongside the NIST AI Risk Management Framework, supporting a holistic approach to AI, privacy, and cybersecurity.
- Enhanced Usability and Accessibility
-
- Usage guidelines have been moved online, now available as an interactive FAQ for real-time updates and easier navigation.
-
- The PFW Learning Center offers multilingual quick-start guides and a highlights video summarizing the draft’s updates.
- Stakeholder Engagement
-
- NIST is actively soliciting feedback on the draft, including specific questions about implementation examples, identifier renumbering, and further streamlining of framework materials.
-
- Comments can be submitted via privacyframework@nist.gov until June 13, 2025.
Next Steps and Recommendations
- Review the Draft: Legal, compliance, and technical teams should review the NIST Privacy Framework 1.1 Initial Public Draft, focusing on areas of overlap with existing privacy and cybersecurity programs.
- Assess AI Practices: Evaluate current and planned uses of AI for alignment with the new privacy risk management guidance.
- Engage in the Comment Process: Consider submitting feedback to NIST to ensure the final framework meets industry needs.
- Plan for Adoption: Prepare to update internal policies, training, and governance structures to leverage the integrated PFW and CSF approach once the final version is released later this year.
For further information or assistance with submitting comments, aligning your privacy and cybersecurity programs, or preparing for the adoption of NIST Privacy Framework 1.1, please contact our firm’s VisionAI+ Law Group.
Susan Duarte – Tel: 703-714-1318 / E-mail: sfd@commlawgroup.com
Brian Alexander – E-mail: bal@commlawgroup.com
Diana James – Tel: 703-663-6757 / E-mail: daj@CommLawGroup.com
