NIST Releases Updated Privacy Framework
On April 14, 2025, the National Institute of Standards and Technology (“NIST”) released draft updates to the NIST Privacy Framework, designed to address current privacy risk management needs, enhance usability, and align the Privacy Framework with Version 2.0 of the NIST Cybersecurity Framework (“NIST CSF”), released in February of last year. NIST has solicited public stakeholder comment on the draft updates, which are due no later than June 13, 2025. Comments may be submitted to privacyframework@nist.gov, using the comment template found at the link below.
After the public comment period ends, NIST may hold a further workshop in Q3, with a final draft released in Q4 2025.
Key updates to the NIST Privacy Framework include:
- Revisions to and re-organization within the Core section to better align with the updated CSF, focusing on specific functions – particularly related to oversight and governance (i.e., risk management strategy and policies), and other similar issues.
- Incorporate targeted improvements based on stakeholder feedback
- A new separate AI and Privacy Risk Management Section (Section 1.2.2), (now withdrawn from PF1.1 Core in version 1.0 to keep it technology-neutral). The new section describes how AI tools relate to privacy risks, such as the potential for privacy harm when: (a) AI systems are trained on data collected without individual consent, (b) have missing or inadequate privacy safeguards, or (c) reveal information about individuals by estimating personal attributes or through privacy attacks such as data reconstruction, prompt injections, or membership inference.
- A standalone online guide (versus the previous version, where it was embedded within Section 3 (“Using Privacy Framework 1.1)). The online guide is now located on the Privacy Framework website as an Informative Reference. Section 3 now contains a short summary with a link to the online content.
More information about the updated Privacy Framework, a mapping that traces changes to the Core Categories and Subcategories between Framework versions, a comment template, and a highlights video that summarizes the development process and reviews key updates, can all be found here.
For more questions about the NIST Privacy Framework, for help on drafting and submitting public comment, or questions about how to implement it to assess privacy risk management within your organization, please reach out to a member of our Maynard Nexsen Cybersecurity and Privacy team.
About Maynard Nexsen
Maynard Nexsen is a full-service law firm of nearly 600 attorneys in 31 locations from coast to coast across the United States. Maynard Nexsen was formed in 2023 when two successful, client-centered firms combined to create a powerful national team. Maynard Nexsen’s list of clients spans a wide range of industry sectors and includes both public and private companies.