Amidst rising concern around consumer data privacy, NIST is currently developing a data privacy framework that is similar in spirit to the popular Cybersecurity Framework (CSF). Like the CSF, the upcoming privacy Framework will be a close inter-collaboration between public and private sector stakeholders to create a gold-standard, voluntary framework. The great challenge will likely center upon how well the new Privacy Framework integrates with the existing CSF and Risk Management Framework (RMF).
Overview of the NIST CSF and RMF
What was remarkable about the NIST CSF when it was first released in 2014 was the fact that it was driven by outcomes and did not explicitly prescribe controls to achieve those outcomes. That allowed practitioners to implement the NIST CSF using varying controls. Further, the CSF is designed in such a way that it facilitates rapid adoption: it is nested in increasing levels of granularity with the subcategories showing outcomes and the tiers showing a view of cyber risk. The NIST CSF was designed for adaptability and scalability regardless of the organization and that became even more true in Revision, 1.1. When I attended the NIST Cyber Risk Management Conference, a trend I noted was the increased concern around supply chain risk (and rightfully so). The CSF uses a light touch with respect to privacy, mentioning it in the guidance and in two subcategories. However, when the CSF is implemented via an RMF process, privacy becomes much more integrated into the security practice.
The NIST Risk Management Framework actually addresses data privacy in depth. The 2.0 version acknowledges that privacy regulations are not slowing down and risk managers should use both the traditional data protection triad (confidentiality, integrity, visibility) as well as privacy regulatory standards (such as GDPR and the upcoming CCPA).
The RMF itself focuses on risk assessments as both a baselining and benchmarking mechanism. Moreover, the RMF serves as a means to discuss risk at all levels and use the data from risk assessments to decide what controls to implement, regardless of the complexity of your risk assessment methodology, from crown jewels or business objectives through to NIST 800-30 or FAIR.
The RMF directly references the CSF in task P4 in version 2.0. The CSF is deliberately flexible enough to mitigate and address risk from the function level, the category, and the subcategory levels. Optimally, organizations that leverage an RMF instantiated version of the CSF will get a powerful view into their cyber processes and risk mitigations.
Using the RMF to Inform How Privacy and Risk teams should interact
For larger organizations where risk and privacy tend to be separate teams, the RMF is actually pretty explicit in how these teams should interact. A privacy mindset for most security teams means more work - just because customers’ personally identifiable information (PII) is secure doesn’t mean it’s private. Using the RMF to determine how to manage PII will typically revolve around the risk assessment and identifying where your organization's weak points exist with respect to both security and privacy.
While most organizations use the RMF for a security risk assessment, they can also use it for a privacy risk assessment - a fundamental aspect of the new Privacy Framework.
The new Privacy Framework
If the RMF supports privacy-centric security, then why invest in a separate privacy framework? In the same way that the RMF enables practitioners to communicate risk up the chain, the new Privacy Framework will do the same for data privacy. The concern for many organizations around privacy is an increasingly technology- literate customer base - both consumer and businesses - with privacy typically at the top of their own concerns. While the RMF helps teams think about addressing and mitigating privacy risk, it does not define a core set of activities for continuous improvement and mitigation. That’s what the new Privacy Framework seeks to address.
Based on my review of the draft version of the Privacy Framework, we can expect it to be very similar to the CSF with the RMF as a foundational element. The Privacy Framework uses a similar core approach with five functions, three of which map directly to the CSF: identify, protect, control, inform, and respond. In the case of the two new functions (control and inform), I can see how they would fit directly into a Privacy Framework/CSF combination for most businesses. These kinds of efficiencies will become paramount as organizations seek to meet regulatory requirements, protect their assets and business, and address enterprise risk in an increasingly complex space.
The key to harmonizing privacy and security starts with the Risk Management Framework. Risk assessments (security in the case of the CSF and privacy in the case of the Privacy Framework) are the foundation of any strong security and privacy program. As more and more regulations arrive, using robust, flexible, and industry tested frameworks such as the CSF and the impending Privacy Framework will become the norm for almost all security organizations.
