“Modest but significant”-- what does new NIST Privacy Framework 1.1 change?

Anybody who has spent any time in cybersecurity or risk can probably recite the NIST cybersecurity framework by heart: identify, detect, protect, respond, and recover.

It’s become absolutely foundational to how companies and technology makers organize their security narratives, bringing much-needed clarity to the complexity and confusion surrounding the security discussion, especially around data security and compliance.

Another update from a standards leader

If you know the work of the NIST, you know this is exactly what they do best. Since their founding in 1901, NIST has been stepping into these governance gaps where regulation is probably too strong a measure, but people and businesses are still hungry for standards.

Obviously, NIST has done a lot for more than just digital clarity, including helping bring much-needed standardization of women’s clothing sizes in the late 1940s. But it’s no surprise their current 2020 privacy standard, like their famous IPDRR framework, is already seen as foundational by 6 in 10 US organizations.

What’s in the original framework?

If you need a refresher:

Like the CSF framework, the 1.0 privacy framework had three components. The Core defines key functional outcomes, Profiles align these functions with an organization’s needs by identifying current and target states, and Tiers measure the maturity of risk management practices.

Core

The core of the framework is the functions. The first privacy framework used: Govern, Identify, Protect, Detect, Respond, and Recover.

Profiles

Profiles reflect maturity across the functions. An organization might be more mature in Detecting than in Protecting. So, in Detect, they might be complete, whereas in Protect, they are only partial.

Tiers

These are a structured way to measure progress across core functions, and versus current and future target states.

Together, both the cyber and privacy frameworks have helped organizations standardize how they measure and mitigate risk.

So why change a good thing?

NIST leadership has come from thoughtful and deliberate collaboration with businesses, industry leaders, and regulators to help find common ground—and often a common language—to discuss big issues around risk and security. That’s where the 1.0 framework came from.

But in the five years since 1.0 was released, a lot has changed. In fact, enough has gone on to warrant having the agency revisit the standard.

• Creating better alignment with CSF 2.0: To align closely with the updated Cybersecurity Framework 2.0, making it easier for organizations to manage privacy and security risks together using something close to a unified structure, especially around cybersecurity and privacy governance.

  
  

• Addressing the rapid rise of AI: This section addresses new privacy risks from technologies like AI, including data inference, bias, and complex data and regulatory flows not fully covered in the previous version.

  
  

• Prioritizing privacy as a business issue: To enhance data governance and risk management by strengthening guidance on roles, responsibilities, accountability, and ongoing monitoring, while more strongly integrating privacy into overall enterprise risk strategies.

  
  

• Adapting to user feedback: Based on stakeholder feedback, improve usability and flexibility, making the framework more practical, accessible, and adaptable for organizations of all sizes and across both public and private sectors.

What’s changing?

According to Julie Chua, director of NIST’s Applied Cybersecurity Division, 1.1 represents a “modest but significant update” that aims to bring a little more harmony and cohesion to organizations using both the cybersecurity and privacy framework.

Given how often decision-makers struggle to find and simplify guidance, it’s no doubt much of the feedback NIST received was around this alignment, as the convergence of risk is driving orgs to seek convergence in controls.

The Specifics

The 1.1 version of the framework features some key updates.

Governance is now standalone in the core

The 1.0 core was built around an Identify, Govern, Control, Communicate flow. The 1.1 core, as illustrated above, puts governance as a standalone function that spans the others, and now includes the protect function like the CSF. This brings it in line with the update of the CSF.

All new guidance on AI

A new AI section in Privacy Framework 1.1 addresses unique privacy risks from AI, such as data reconstruction, prompt injection, membership inference, and systemic bias. It helps organizations with identifying, assessing, and mitigating these risks while meeting evolving regulatory and ethical privacy requirements, both key to modern AI governance.

Updated content & resources

Like the more mature CSF, the PFW now has a complete library of updated resources, including an interactive FAQ. You can see more of them here, including very cool crosswalks that dynamically link the CSF and PFW.

What does it mean for data protection?

While many of the changes around the 1.1 update were about strategic structure, the expansion of the Protect function is notable.

The new NIST Privacy Framework 1.1 maintains encryption as a critical control but reorganizes it under the Protect function to align with CSF 2.0. Technical encryption specifications now appear in separate online guidance rather than the Core.

The importance of encryption to both the cybersecurity and privacy frameworks is telling.

Whether it’s overall cybersecurity maturity or just stronger privacy priorities and protection, it all starts with keeping data, especially sensitive data, secure.

To learn more about how Confidencial can help you find sensitive data across your environment, learn more about our no-obligation sensitive data scan.

Check out this three-page overview to see how Confidencial can help you operationalize the NIST Cybersecurity Framework 2.0 and turn risk insights into tangible security outcomes.