In October 2018, NIST, collaborating with public and private stakeholders, started drafting its privacy framework. The framework is intended to serve as a guide for chief information security officers (CISOs), chief privacy officers (CPOs) and other internal privacy stakeholders and is geared toward helping them improve their organizational privacy posture. Like the NIST Cybersecurity Framework introduced in 2014, organizations that choose to comply with the privacy framework can do so voluntarily.
It is expected that the framework will be presented in language that can be understood by both privacy and security professionals, as well as executives and other business stakeholders who may have no expertise in privacy, and that’s a very good thing. The roles of the CISO and CPO are evolving to have complementary concerns, which means they must work more closely together, especially when it comes to privacy and personal data protection. Technical professionals and legal professionals speak in very different language in their day-to-day lives, so when it comes to implementing an effective privacy program, everyone had better be speaking the same language to establish a common understanding of what needs to get done.
NIST has been working quickly. A request for information (RFI) to gather input and guide the development of the framework wrapped up in January, and the outline of the NIST Privacy Framework was drafted and shared in March.
This is a welcome move from NIST. I hope that information security and privacy officers embrace the framework. I also hope that the federal government issues strong privacy legislation, similar to the GDPR, that is congruent with the United State constitution. We, the people, need some relief form the wonton collection and leverage of personal information.