This month, the National Institute of Standards and Technology (NIST) drafted a new version of its NIST Privacy Framework (PFW), which was intended to address current privacy risk management needs, maintain alignment with the agency’s recently updated Cybersecurity Framework, and improve usability.
The draft release, “NIST Privacy Framework 1.1 Initial Public Draft,” was broadly intended to aid organizations in managing the privacy risks that could arise from personal data flowing through complex information technology systems. The NIST further noted that the changes made to the PFW were needed due to its relationship with the widely used NIST Cybersecurity framework (CSF), which had received an update in February of last year.
PFW 1.1 Public Draft Core is thus realigned with CSF 2.0 Core in many places. The changes include more focus on the Govern Function, which includes risk management strategy and policies; and Protect Function, the privacy and cybersecurity safeguards. In addition, it updates the PFW to include advances in the use of artificial intelligence (AI) tools such as chatbots. The draft PFW’s Section 1.2.2 outlines the ways that AI and privacy risks are related.
“This is a modest but significant update,” said NIST’s Julie Chua, director of NIST’s Applied Cybersecurity Division. “The PFW can be used on its own to manage privacy risks, but we have also maintained its compatibility with CSF 2.0 so that organizations can use them together to manage the full spectrum of privacy and cybersecurity risks.”
Clear Alignment Between PFW and CSF
NIST acknowledged that privacy risk is closely related to, and even overlaps with, cybersecurity risk. The two frameworks should therefore have the same high-level structure to make them easy to use together.
‘Bridging privacy standards with NIST’s latest cybersecurity guidelines is both overdue and challenging, just the right degree of rigor can take more time than we’d like, but it’s necessary to get this right,” said Carolyn Crandall, CMO at cybersecurity provider AirMDR.
“We’ve all watched the lines between data privacy and cybersecurity blur over the years, especially with the rise of AI-driven tools that process and correlate vast amounts of sensitive information in seconds,” Crandall told ClearanceJobs. “NIST’s proposed changes-introducing AI considerations, refining guidance, and integrating privacy with core security standards-aren’t merely housekeeping; they’re an essential step toward a more modern, cohesive framework.”
The proposed changes to the NIST Privacy Framework should provide a clearer alignment with the principles articulated in NIST’s Cybersecurity framework, Dr. Jim Purtilo, associate professor of computer science at the University of Maryland, also told ClearancJobs.
“It makes sense, even if these are a long time coming,” explained Purtilo. “Privacy and security are two perspectives into what is fundamentally the same technical space, so having two guides that grew to look independent over time posed needless complexity to stakeholders intent on following best practices. The proposed update, which is open for comment now, should make for an easier time when comparing principles of one to principles of the other framework.”
Guidance and Guardrails
Both PWF and CSF are used to fundamentally process documents, and it is overdue for the same standards to be applied. However, the actual guidelines may require an attention to detail, but it could also leave some unresolved questions.
“Technologists should not look to them thinking they will see a list of directives saying ‘here, do this,'” warned Purtilo. “They will instead find guidance on what questions to ask themselves when they reflect on practices and implementation details specific to their operations. In that sense, these frameworks – both the original and proposed refresh – will still look somewhat opaque to many. Still, the win is for technologists to be thinking critically about such issues in the first place, and the frameworks offer guidance on matters that are worthy of their consideration along the way.”
Moreover, the PWF and CSF are still about guidance, not strict rules.
“Practically speaking, these updates give organizations clearer, more integrated guardrails for managing sensitive data and anticipating emerging risks. By tackling the inherent complexity, NIST helps businesses move beyond viewing privacy as a mere compliance box to be checked, positioning it instead as a core pillar of their overall security strategy,” added Crandall. “If done right, these revisions can reduce regulatory headaches, build stronger trust with customers, and keep companies agile in a rapidly evolving threat landscape.”
She further told ClearanceJobs that what is most valuable with this update is its clarity.
“In an environment where privacy regulations vary widely and risks evolve quickly, concise and actionable guidance from NIST gives organizations a solid foundation to move with confidence,” Crandall continued. “It’s not just about managing compliance—it’s about enabling smarter, faster decisions in the face of growing complexity.”
