May 19, 2022

NIST Releases Preliminary Draft of Privacy Framework

New Today from the National Institute for Standards and Technology (NIST):

We are delighted to announce the release of the Preliminary Draft of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management for public comment.

Since our kickoff workshop in October 2018, in Austin, Texas, we put out a Request for Information and we’ve been traveling around the country conducting a series of workshops and roundtables to listen to stakeholders about their challenges with protecting privacy and how we can develop the Privacy Framework into a tool that will help. This Preliminary Draft is the result of these conversations. Our goal was to deliver a tool that could help organizations communicate better about privacy risks when designing and deploying products and services, provide more effective solutions that can lead to better privacy outcomes, and facilitate compliance with their legal obligations. Now it’s your turn to let us know if we met that goal.


As presented in the Preliminary Draft, there are five Functions in the Privacy Framework: Identify-P, Govern-P, Control-P, Communicate-P, and Protect-P, where the -P distinguishes privacy focused activities versus cybersecurity ones.  The first four can be used to manage privacy risks arising from data processing, while Protect-P can help organizations manage privacy risks associated with privacy breaches along with Detect, Respond, and Recover from the Cybersecurity Framework. Protect-P is not the only way to manage privacy risks associated with privacy breaches. Alternatively, organizations could use all of the Cybersecurity Framework Functions in conjunction with Identify-P, Govern-P, Control-P, and Communicate-P to collectively address privacy and cybersecurity risks.

Direct to Complete NIST Blog Post

From a NIST News Release:

Privacy is a concept distinct from security, but the two are intimately connected in our digital world. A security breach that cracks a company’s database might reveal private information about thousands of individuals. For that reason, many industry stakeholders over the past year requested that NIST align the Privacy Framework with the Cybersecurity Framework, one of NIST’s flagship publications.

The Privacy Framework is therefore aligned with the Cybersecurity Framework both structurally and conceptually, and they are designed to be used together.

Both documents help organizations assess their own risks and achieve their particular goals. Similar to the Cybersecurity Framework structure, the Privacy Framework centers on three parts:

  • The Core offers a set of privacy protection activities and enables a dialogue within an organization about the outcomes it desires.
  • Profiles help determine which of the activities in the Core an organization should pursue to reach its goals most effectively.
  • Implementation Tiers help optimize the resources dedicated to managing privacy risk. One company might have more risks, for example, and might need to have a chief privacy officer, while another might not.

NIST Requests Comments on Draft Privacy Framework

Direct to Draft Document and Related Materials

About Gary Price

Gary Price ( is a librarian, writer, consultant, and frequent conference speaker based in the Washington D.C. metro area. Before launching INFOdocket, Price and Shirl Kennedy were the founders and senior editors at ResourceShelf and DocuTicker for 10 years. From 2006-2009 he was Director of Online Information Services at, and is currently a contributing editor at Search Engine Land.