Springtime is here and April showers did not deter attendees from engaging with the NIST Privacy Engineering Program! As we enter this season of renewal it's only fitting that the National Institute of Standards and Technology (NIST) Privacy Framework  gets a bit of a “spring cleaning.”

Against the backdrop of the International Association of Privacy Professionals (IAPP) Global Privacy Summit, the Center for Cybersecurity Policy and Law invited participants to engage with the NIST Privacy Engineering Program (PEP) as they update the NIST Privacy Framework to Version 1.1 and build a “Joint Frameworks Data Governance Profile.”

The session provided an opportunity for participants to identify issues of focus for the Privacy Framework’s update and to provide suggestions on how to approach the development of a data governance profile using NIST risk management frameworks, including the Cybersecurity Framework (CSF) 2.0, the AI Risk Management Framework (RMF), as well as other related NIST resources.

We were honored to have the “PEP Squad,” including Naomi Lefkovitz, Dylan Gilbert, and Nakia Grayson, shower us with updates on many fronts. These included the development of the NIST Privacy Workforce Taxonomy and NCCoE projects in healthcare, replete with examples of how NIST Privacy Resources such as the Privacy Framework and the Privacy Risk Assessment Methodology were leveraged. Here’s our recap:

Session #1: Roundtable Discussion on the NIST Privacy Workforce Taxonomy, Privacy Framework 1.1, and Joint Frameworks Data Governance Profile

Naomi Lefkovitz | Senior Privacy Policy Advisor, NIST

Dylan Gilbert | Privacy Policy Advisor, NIST

The PEP Squad kicked off the event off by delving into the NIST Privacy Workforce Taxonomy initiative, which aims to categorize and describe the privacy workforce, identifying privacy work roles and tasks, as well as the knowledge and skills needed to manage privacy risk. This initiative was highlighted in the Roadmap for Advancing the NIST Privacy Framework, which identifies several key areas posing challenges to organizations striving to meet their privacy objectives. NIST launched a subsequent Privacy Workforce Working Group (PWWG) to develop the taxonomy, and will be relying on stakeholder feedback to fine tune it once the initial public draft is released in mid-April. In addition to supporting privacy professionals in developing job descriptions, the resulting compilation of task, knowledge, and skills helps facilitate greater understanding of the Frameworks outcomes and how they might be implemented.

The discussion then pivoted to the big-ticket item on everyone’s mind -- at least to us privacy nerds -- the Privacy Framework 1.1 Update! In order to support its alignment with the recent release of the CSF 2.0, and to ensure the framework responds to current privacy risk management needs, the Privacy Framework will be stepping into the spotlight for some timely revisions.

NIST was eager to hear from participants how their organization uses both the Privacy Framework and CSF in tandem, and inquired on any additional changes that should be made to the framework beyond its alignment with the CSF. The audience applauded the fact that the frameworks utilize the same security controls enabling interoperability and suggested that the Privacy Framework update enable its alignment with other NIST risk management frameworks like the AI RMF. This sentiment was echoed in the Cybersecurity Coalition’s comments to NIST on CSF 2.0, in addition to a crosswalk resource between the CSF and Privacy Framework.

Following the theme of interoperability, NIST recognized stakeholders' desire for greater support in using multiple NIST resources together. Data governance is often the starting point for organizations seeking to benefit from data processing while also managing privacy, cybersecurity, AI, and other risks. Therefore, NIST will be developing a Joint Frameworks Data Governance Profile to effectively demonstrate how an organization may implement complementary NIST frameworks and resources. 

Attendees reflected that within their organizations, the approach to data governance can often be “ad hoc and siloed,” as companies face communication barriers when dealing with complicated technical language. Participants underscored how useful this resource could be especially when communicating with executive level leadership whose buy-in is crucial to secure the necessary implementation resources.

Deliverable Timeline 2024

  • Q2 – Joint NIST Frameworks Data Governance Profile Concept Paper
  •  Q2 – Public Workshop: Joint NIST Frameworks Data Governance Profile
  •  Q3 – Initial Public Draft: Joint NIST Frameworks Data Governance Profile
  •  Q4 – Request for Comments Deadline on Initial Public Draft
  •  Q4 – Optional Public Workshop
  •  2025 Q1 – PF Version 1.1 and Joint Profile Release

Updates on the Privacy Framework 1.1 update and Data Governance Profile can be found under “New Projects” on the Privacy Framework website, with a dedicated tab to relevant PWWG updates. 

Session #2: NIST Privacy Resources in National Cybersecurity Center of Excellence (NCCoE) Healthcare Projects

 Nakia Grayson | IT Security Specialist, NIST

Following the discussion on the Privacy Framework, Nakia Grayson introduced the National Cybersecurity Centre of Excellence (NCCoE), which collaborates with industry to convene projects that address pressing challenges in the ecosystem, and ultimately produce practical guidance materials. Grayson was able to shine a light on all the awesome work NCCoE has been up to in regards to its Healthcare Portfolio, and the projects that have accelerated through subject matter collaboration like NIST SP 1800-30: Securing Telehealth Remote Patient Monitoring Ecosystem (RPM). Additional projects in the works include the IPD of NIST Internal Report (IR) 6467: Cybersecurity Framework Profile for Genomic Data as well as two reports: NIST Cybersecurity Whitepaper XX: Mitigating Cybersecurity Risk in Telehealth Smart Home Integration and NIST IR XX: Privacy Framework Profile for Genomic Data.

The presentation on the NCCoE’ s Securing Telehealth RPM Project, explored how privacy is integrated into NCCoE solutions by utilizing Privacy Risk Assessment Methodology (PRAM) analysis to identify potential issues and subsequently applying NIST PF outcomes and corresponding NIST 800-53 controls to mitigate identified privacy risks.

Public-private collaboration is key to the success of NCCoE projects, and participants can join a Community of Interest to discuss challenges in their sector, contribute to publications, participate in a project, or propose a project of their own!

As April showers bring May flowers, the Center for Cybersecurity Policy and Law will be monitoring the development of the taxonomy, Privacy Framework 1.1, and the Joint Frameworks Profile, but in the meantime you can engage directly with NIST by signing up to the NIST Privacy Framework Mailing List for updates on all privacy workstreams: PrivacyFramework+subscribe@list.nist.gov.

Jamie Danker & Alexis Steffaro

Read Next

The U.S. and UN Cybercrime Convention: Progress, Concerns, and Uncertain Commitments

The U.S. issued an updated position seeking to move forward the UN Convention Against Cybercrime, a treaty intended to improve the global community’s ability to combat evolving cybercrime threats.

The Counter Ransomware Initiative with Hamish Hansford (DCP S2 E8)

In the latest Distilling Cyber Policy, Alex Botting and Jen Ellis are joined by our second-ever Australian guest: Hamish Hansford, the Deputy Secretary of Cyber and Infrastructure Security Group at the Australian Department of Home Affairs.

Counter Ransomware Initiative Adds Private Sector Members

Earlier this month, more than 68 countries and organization members met for the fourth annual International Counter Ransomware Initiative (CRI), which included the addition of a public-private advisory panel.