During last week’s RSA Conference, the Center for Cybersecurity Policy and Law hosted an event featuring program updates from the National Institute of Standards and Technology (NIST) called, “NIST- Everything, Everywhere, all at Once: Program Updates from the Privacy Framework, the Cybersecurity Framework, Internet of Things (IoT), and Quantum.”

Among the event’s highlights featured a spotlight on a “younger” risk management framework, the NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management. The framework is a flexible tool, modeled after the Cybersecurity Framework, that organizations can apply in a variety of ways, such as establishing or improving a privacy program, designing privacy into products and services to build better consumer trust, and facilitating current compliance obligations.

NIST’s signature Cybersecurity Framework was released nine-years ago (February 2014) and is currently undergoing a significant update (see Cybersecurity Framework 2.0 Discussion Draft Core), while the Privacy Framework is now just over three-years old. NIST privacy nerds, present company included, want to know if NIST builds a voluntary framework, will organizations adopt it? And just how is the framework being used in practice after three-years? After hearing about real life applications of the framework from John Deere and Company and the NIST Privacy Engineering Program, it became clear that the framework is gaining traction. Some common themes emerging are around how and why organizations are leveraging the NIST Privacy Framework.

There are many attributes that make the framework an attractive choice, but some of the most frequently cited reasons include:

• Agnostic to laws and regulations – The framework provides a tool that can be mapped to various privacy laws, regulations, and standards.
• Cybersecurity Framework Adoption – When an organization is already leveraging the CSF it can make adoption of the Privacy Framework an easier “sell” internally. Use of a common and familiar structure (e.g., Core, Profile, and Tiers) also serves to facilitate communication across the organization.  
• Voluntary and flexible – While there are no mandates to use the framework, it is worth noting that the Tennessee Information Protection Act, recently moved forward for signature by the Governor, includes a specific provision that “requires a controller or processor to create, maintain, and comply with a written privacy program that reasonably conforms to the NIST privacy framework.”

There are a variety of different ways organizations are using the framework:

• Assessment tool to improve an existing privacy program – Many organizations, Deere and Company included, are leveraging the framework to assess their program’s Current Profile and Implementation Tier and developing a roadmap to achieve a Target Profile and Tier. Organizations can assess at varying levels of granularity from the highest at the Function level, to more granular at the Category and Subcategory levels. The outputs of the assessment serve to facilitate communication across the organization about the program’s priorities and can be leveraged to advocate with leadership regarding additional tools and resources needed to achieve a target state.      
• Startup Privacy Program – An organization leveraged both cyber and privacy frameworks to build a robust privacy program and demonstrate to investors their response to enhanced due diligence checks and position privacy as a competitive differentiator.
• Regulatory Compliance – Privacy programs want to ensure that they are meeting their obligations under the various privacy laws and regulations. Accordingly, many are using the framework as a vehicle to support compliance by mapping privacy laws and regulations (e.g., GDPR, CCPA) to the framework. Tip: check out the resource repository tor mappings from community contributors.
• Privacy and Cybersecurity Program Alignment - As previously noted, the Privacy Framework is a natural choice for an organization that is already implementing the Cybersecurity Framework. In this example, the organization leveraged its existing Cybersecurity Framework profile to identify its existing requirements and controls. It then developed a Privacy Framework profile to run a gap analysis and identify additional privacy requirements and controls to its existing set. In leveraging both frameworks, the organization was able to avoid reinventing the wheel in undertaking the activities necessary to improve communication about privacy and cybersecurity through program alignment.

The framework can also be used in targeted manners. Here are a couple of examples:

• Data Governance – A large conglomerate with over a dozen distinct brands, each with its own data governance process, wanted to harmonize its data governance strategy. The organization used select Functions (i.e., Identify and Control) and Categories. (e.g., Inventory and Mapping, Data Processing Policies, Processes, and Procedures, Business Environment, Data Processing Management) to evaluate their data governance objectives against and arrive at a unified and more robust data governance strategy.
• Policy Alignment – An organization that acquired a new organization with a different privacy program leveraged the framework to assess the original programs’ policies and controls and the acquired programs polices and controls. Leveraging the policies, processes, and procedures subcategories from the Govern, Control, and Communicate Functions, the organization aligned the two disparate sets of policies and developed a two-year roadmap to implement more granular privacy controls.

Kudos to Deere and Company for contributing to the discussion about how they are leveraging the framework to drive customer value and to the NIST Privacy Engineering Program for sharing examples. Whether or not your organization has taken the Privacy Framework plunge, we hope this sparks some inspiration for how the framework can be used.

‍