The U.S. National Institute of Standards and Technology (NIST) has released a draft update to its Privacy Framework, aligning it more closely with the recently updated Cybersecurity Framework. The changes to the NIST Privacy Framework 1.1 Initial Public Draft (IPD) aim to improve usability and address feedback from stakeholders by refining content and structure. NIST is accepting public comments on the draft through June 13, 2025.
The NIST Privacy Framework 1.1 IPD has been developed in response to stakeholder interest in an updated framework that better reflects current privacy risk management needs. Key goals of the update include aligning the framework with the NIST Cybersecurity Framework (CSF) 2.0 and improving its overall usability. It also aims to provide information on artificial intelligence (AI) and privacy risk management.
Privacy Framework 1.1 follows the structure of CSF 2.0 to facilitate the use of both frameworks together. Like the Cybersecurity Framework, the Privacy Framework is composed of three components – Core, Organizational Profiles, and Tiers. Each component reinforces privacy risk management through the connection between business and mission drivers, organizational roles and responsibilities, and privacy protection activities.
The Core enables a dialogue, from the executive level to the implementation/operations level, about important privacy protection activities and desired outcomes; Organizational Profiles enable the prioritization of the outcomes and activities that best meet organizational privacy values, mission or business needs, and risks; and Tiers support decision-making and communication about the sufficiency of organizational processes and resources to manage privacy risk.
In summary, the Privacy Framework is intended to help organizations build better privacy foundations by bringing privacy risk into parity with their broader enterprise risk portfolio. NIST is seeking feedback from stakeholders on whether the IPD effectively addresses these goals. In addition to comments on alignment and usability, NIST welcomes input on all aspects of the draft, including content, structure, format, grammar, and syntax.
Stakeholders are encouraged to provide clear, actionable suggestions with rationale for each proposed change. To facilitate the review process, NIST has made a comment template available on the Privacy Framework website. “This is a modest but significant update,” Julie Chua, director of NIST’s Applied Cybersecurity Division, said in a media statement. “The PFW can be used on its own to manage privacy risks, but we have also maintained its compatibility with CSF 2.0 so that organizations can use them together to manage the full spectrum of privacy and cybersecurity risks.”
The NIST is also requesting feedback on a few targeted issues. One area of interest is whether to include Implementation Examples as supplemental material in the final version of Privacy Framework 1.1. Stakeholders are asked whether a mapping of task statements from the NIST Privacy Workforce Taxonomy to the updated Core would be a helpful approach for creating such examples. Another issue involves gaps in the Subcategory Unique Identifiers that have resulted from the reorganization of content in the Core. NIST is considering whether to renumber the identifiers to close these gaps or retain them as-is. Feedback on preferences and reasoning is requested.
NIST has also begun streamlining the PDF version of the framework by replacing Section 3 with a high-level summary and relocating detailed content to the Privacy Framework website for more interactive use. The agency seeks input on whether further streamlining is appropriate, which content should be moved, and what formats—such as quick-start guides or interactive tools—would be most helpful for conveying the relocated materials.
Privacy Framework 1.1 updates include targeted revisions and restructuring of the Core; a new Section (1.2.2) on AI and privacy risk management; and relocation of Section 3 guidelines from front matter to the NIST Privacy Framework website. The Privacy Framework can support organizations in building customers’ trust by supporting ethical decision-making in product and service design or deployment that optimizes beneficial uses of data while minimizing adverse consequences for individuals’ privacy and society as a whole; fulfilling current compliance obligations, as well as future-proofing products and services to meet these obligations in a changing technological and policy environment; and facilitating communication about privacy practices with individuals, business partners, assessors, and regulators.
NIST Privacy Framework 1.1 is a voluntary tool intended to be used by organizations of all sizes and is agnostic to any particular technology, sector, law, or jurisdiction. Using a common approach, adaptable to any organization’s role(s) in the data processing ecosystem, the Privacy Framework’s purpose is to help organizations manage privacy risks by taking privacy into account as they design and deploy systems, products, and services that affect individuals; communicating about their privacy practices; and encouraging cross-organizational workforce collaboration, through the development of Profiles, selection of Tiers, and achievement of outcomes.
The document identifies that AI systems can introduce significant privacy risks throughout their life cycle, especially when data is collected without consent or lacks adequate safeguards. These risks include revealing personal information through inference or attacks, amplifying biases, and enabling harmful uses such as generating invasive content. The NIST Privacy Framework 1.1 helps organizations identify and manage these risks by addressing the privacy implications of AI data processing.
Left unmanaged, such risks can lead to harm for individuals and groups, as well as broader organizational consequences like reputational damage and financial loss. Organizations may choose to prioritize and respond to privacy risk in different ways, depending on the potential impact to individuals and resulting impacts to organizations. Response approaches include mitigating the risk, where organizations may be able to apply technical and/or policy measures to the systems, products, or services that minimize the risk to an acceptable degree; and transferring or sharing the risk, for instance, using contracts as a means of sharing or transferring risk to other organizations, privacy notices and consent mechanisms as a means of sharing risk with individuals.
They may also choose to avoid the risk, for instance, organizations may determine that the risks outweigh the benefits and forego or terminate the data processing; or accepting the risk, for instance, organizations may determine that problems for individuals are minimal or unlikely to occur, therefore the benefits outweigh the risks, and it is not necessary to invest resources in mitigation.
The agency recognizes that privacy risk assessments are essential because they help organizations navigate the complex and sometimes conflicting goals of privacy, such as limiting data visibility and enabling individual control. These assessments guide decisions on which privacy-preserving methods to use in specific contexts and how to balance them effectively. Additionally, they help distinguish between compliance risk and actual privacy risk—highlighting potential harms to individuals even when legal requirements are met. This supports ethical decision-making, fosters trust, and helps organizations design systems that both protect privacy and support responsible data use.
The NIST said that when used as a risk management tool, the Privacy Framework can assist an organization in its efforts to optimize beneficial uses of data and develop innovative systems, products, and services while minimizing adverse consequences for individuals. The Privacy Framework can help organizations answer the fundamental question, “How are we considering the privacy impacts to individuals and groups as we develop our systems, products, and services?”
To account for the unique needs of an organization, the use of the Privacy Framework is flexible, although it is designed to complement existing business and system development operations. Privacy Framework 1.1 may be used in many ways. For example, an organization may already have robust privacy risk management processes, but it may use the Core’s five Functions as a streamlined way to analyze gaps and articulate privacy program needs with leadership and decision-makers. Alternatively, an organization seeking to establish a privacy program can use the Core’s Categories and Subcategories as a reference. Other organizations may compare Profiles or Tiers to align privacy risk management priorities across different roles in the data processing ecosystem.
Earlier this month, the NIST published the finalized Special Publication (SP) 800-61 Revision 3, which seeks to assist organizations with incorporating cybersecurity incident response recommendations and considerations throughout their cybersecurity risk management activities as described by the NIST CSF 2.0. NIST SP 800-61 Rev. 3 focuses on improving cybersecurity risk management for all of the NIST CSF 2.0 Functions to better support an organization’s incident response capabilities.
