The US National Institute of Standards and Technology (NIST) has announced significant updates to its Privacy Framework, aiming to better align it with the Cybersecurity Framework. This move reflects the growing intertwining of privacy and cybersecurity concerns as organizations increasingly handle personal and sensitive data. The Cybersecurity Framework had previously received its own overhaul in February 2024, further emphasizing the need for cohesive guidelines amid evolving technological landscapes.
NIST’s revised Privacy Framework encompasses guidelines on protecting personal information and managing privacy risks, critical as organizations are expected to comply with global laws and regulations. The framework comprises three components: core, implementation tiers, and profiles. NIST is currently inviting organizations to provide feedback on the draft Privacy Framework version 1.1 until June 13. “Privacy risk is closely related to, and often overlaps with, cybersecurity risk. Because of this, the two frameworks have the same high-level structure to make them easy to use together,” NIST officials stated.
The updates are spurred by a marked rise in data breaches and the proliferation of artificial intelligence (AI) technologies. NIST has modified the Governance and Protect functions within the framework, introducing a new section dedicated to aiding organizations in balancing AI and privacy risk management. “The rapid growth of AI has accelerated the integration, particularly as privacy and cybersecurity teams grapple with the unique risks posed by new AI use cases,” noted Neil Thacker, global privacy and data protection officer at Netskope.
Industry experts support these updates as they cater to the evolving challenges at the intersection of privacy, cybersecurity, and AI. According to Caitlin Fennessy, chief knowledge officer at the International Association of Privacy Professionals (IAPP), driving factors behind the recent revisions include advancements in AI, an elevation of responsibilities, and an urgent need for a more holistic approach. “Effective governance for privacy and cybersecurity requires similar risk assessment processes,” shared Sabeen Malik, VP of global government affairs and public policy at Rapid7.
As organizations adapt to these new guidelines, the importance of integrated frameworks becomes increasingly evident. Experts contend that while the updates markedly enhance the frameworks, ongoing efforts are warranted to address the expanding landscape of privacy risks. “The risk-based approach is a good way to prioritize,” remarked James Robinson, CISO at Netskope.