NIST Privacy Framework 1.0
NIST's voluntary privacy risk management framework providing a common language and systematic approach to managing privacy risk across the data lifecycle.
The NIST Privacy Framework Version 1.0, published January 2020, is a voluntary tool developed through a public-private collaboration to help organizations identify and manage privacy risk. It is structured parallel to the NIST Cybersecurity Framework (CSF) and is designed to be complementary to it, addressing the distinct risks that arise from data processing activities — including risks to individuals from organizational data practices that may not involve a security breach. The framework comprises three components: Core (a set of privacy protection activities organized by Functions, Categories, and Subcategories), Profiles (customizations of the Core reflecting current or target states), and Implementation Tiers (indicating organizational privacy risk management maturity from Partial to Adaptive).
The Privacy Framework Core is organized across five Functions: Identify-P (inventory data processing, assess privacy risks), Govern-P (establish governance policies, roles, and accountability), Control-P (manage data with policies, processes, and technical controls), Communicate-P (develop and execute communication about data processing), and Protect-P (implement safeguards for data management). Within each Function, Categories provide specific outcomes — for example, under Control-P, Category CT.DP (Disassociated Processing) includes subcategories for implementing data minimization, anonymization, and contextual integrity techniques. The framework is intentionally outcome-based rather than prescriptive, allowing organizations to select appropriate implementation approaches for each subcategory.
A key design principle of the NIST Privacy Framework is the distinction between cybersecurity risk (risk to organizations from unauthorized access) and privacy risk (risk to individuals from authorized data processing). Privacy risk assessment under the framework uses a two-dimensional analysis: likelihood of a problematic data action (data collection, sharing, use, or retention that causes problems) and the severity of impact on individuals — defined across multiple dimensions of harm including physical, financial, reputational, psychological, and discriminatory harms. The Privacy Framework includes an Appendix mapping its subcategories to NIST SP 800-53 Rev 5 privacy controls, CSF cybersecurity subcategories, and ISO/IEC 29100 privacy principles, facilitating cross-framework integration.
We use the NIST Privacy Framework to structure privacy risk assessments for clients seeking a vendor-neutral, risk-based approach that integrates with their existing NIST CSF cybersecurity programs. Our profile gap analysis tool maps current-state capabilities against target profiles, prioritizes remediation by privacy risk severity, and produces implementation roadmaps aligned to the Framework's five Functions.
Compliance-Native Architecture Guide
Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.