Ten Things We Love About the NIST Privacy Framework

By Paul Grassi and Maria Vachino

As cybersecurity and identity professionals, you might think we nerd out all day long talking about authentication, identity proofing, and federation – and you’d be mostly right. We are passionate about cybersecurity and identity but, for the record, we’ve been longtime privacy superfans. Frankly, we think good privacy enables good identity, not the other way around. Given NIST’s recent release of Version 1.0 of the Privacy Framework, it’s only fitting that we follow-up last year’s blog, 10 Things We Love About the Updated Federal Identity Guidance written by our resident privacy nerd, Jamie Danker, with 10 things we love about the newly released NIST Privacy Framework.

  1. Risk-based – Security has long embraced this approach and we’re delighted to see privacy moving in this direction. Aiming for perfect privacy has the same pitfalls that aiming for perfect security does – it isn’t achievable, doesn’t help with prioritization, and can even interfere with mission critical objectives. The solution is a risk-based approach that considers both the likelihood and impact of problematic data actions, then weighs options for mitigation against available resources and organizational needs (but don’t confuse a risk-based approach as a substitute for compliance with current laws and regulations).
  2. Actionable – The Privacy Framework is a tool that can help deconstruct legal and policy requirements into system requirements – you know those things that are actually needed to ensure compliance with laws! 
  3. Explains the Security and Privacy Relationship – We think the Privacy Framework offers one of the best explanations of the overlap and distinctions between security and privacy. It certainly helps explain to the security community and other stakeholders that protecting privacy goes beyond concerns surrounding data breaches and extends more broadly into the privacy risks that arise from data processing. Understanding the two as distinct yet interrelated helps further the development of systems, products, and services that are both secure and privacy enhancing.
  4. Emphasizes Privacy Risk Assessment – We’ve been following NIST’s Privacy Engineering Program and are glad to see the emphasis on Privacy Risk. Everyone knows adding security to a system as an afterthought doesn’t work. Well, tacking on privacy at the end doesn’t work either! We hope the new framework helps to mature privacy impact assessment practices so they become part of initial system design.
  5. Communication Tool –Ever been in a cross functional team meeting and have the feeling that you’re not all speaking the same language? When it comes to privacy, the Framework levels the playing field. We’ve seen how the Framework for Improving Critical Infrastructure Security (Cybersecurity Framework) has impacted how organizations communicate about cybersecurity with its 5 Functions: Identify, Detect, Protect, Respond and Recover. Now for privacy, you’ll want to remember these five simple words: Identify-P, Govern-P, Control-P, Communicate -P, and Protect-P. To understand the meaning behind these words, check out the Privacy Framework Core.
  6. Flexible – One of the greatest features of the Privacy Framework is its flexibility. The framework is not something to be “complied with.” Rather we think proper use of the framework is to align privacy with systems development and with security accreditation processes. As the framework notes, “deriving benefits from data while simultaneously managing risks to individuals’ privacy is not well suited to one-size fits all solutions.” This is very familiar to any system owner that has achieved an Authority to Operate (ATO) where not every single security control is relevant to a particular risk environment.
  7. Eco(system)-Friendly – The Privacy Framework acknowledges that there are many roles within the data processing ecosystem. We’re a fan of LEGOs and we see the framework as a really cool set that can be custom built based on the particular role(s) your organization takes. Even cooler is that these can be reused and interoperate with others in the data processing ecosystem.
  8. Stakeholder Driven – The Privacy Framework development process was open and transparent with workshops, webinars, and comments periods galore! We’re excited to see the launch of a Resource Repository where organizations can share profiles, crosswalks, and tools to help advance the framework’s implementation.
  9. Recognizes Digital Identity as a key enablerOK, OK, yes privacy is an enabler of identity, but it actually works both ways. We have a special place in our hearts for digital identity at Easy Dynamics, so we are excited to see that the Privacy Framework’s Identify-P Function includes the Identity Management, Authentication, and Access Control category. Best practices in identity and security, such as the use of Federation, can substantially reduce privacy risk by reducing the replication of PII. And strong identity controls (see NIST SP 800-63 Rev. 3) are key to compliance with privacy laws and regulations that have individual access request requirements, such as the Privacy Act of 1974, the General Data Protection Regulation (GDPR), and the California Consumer Privacy Act.  
  10. AgnosticOrganizations needn’t wait for federal or state privacy legislation – they can get started on using the framework as building block right away, on a VOLUNTARY basis. Since it’s agnostic to laws and regulations, getting started can only better position organizations to respond to changes in the legislative landscape.

So, let’s take a moment to reflect on what a huge milestone this is for privacy programs, solution engineers, and individuals alike and the enormous potential the framework has to advance the privacy conversation!

Leave a Reply