NIST updates Privacy Framework with Version 1.1

The agency is seeking comments on a newly pruned framework, which it updated to align with its second-generation version – and hopefully make life easier for users who need both.
ANZ
By Andrea Fox | May 5, 2025 | 10:37 AM
NIST campus signage
Photo: U.S. Department of Commerce

WHY IT MATTERS

Recognizing that protecting user data has become increasingly challenging due to pervasive cyberattacks, the U.S. Department of Commerce said it intends to align its two foundational privacy and cybersecurity frameworks.

The NIST Privacy Framework 1.1 Initial Public Draft targets changes to content and structure that respond to stakeholder needs, according to the agency.

The National Institute of Standards and Technology (NIST) says it needed to ensure that a granular set of activities and outcomes that aim to help organizations discuss risks in the PFW tie seamlessly with those in the updated cybersecurity framework. 

CSF 2.0 – which was a 10-year overhaul – aimed to align with the Biden administration's National Cybersecurity Strategy and offer a suite of resources that can be customized and used individually or in combination as an organization's cybersecurity needs change and its capabilities evolve.

With its PFW 1.1 draft, NIST seeks to clarify privacy risk management concepts and present useful strategies for improving the use of protected personal data, adds a new section on artificial intelligence and privacy risk management, and offers a new online guide.

THE LARGER TREND

NIST first released the all-industry privacy protection framework in 2020 to help developers safely build smart products and services that use personal data. 

Recognizing that failure to manage these risks affects individuals and damages organizations, NIST intended the framework to address ethical decision-making in product design, optimizing beneficial uses of data and minimizing adverse consequences

"This tool is the result of NIST collaboration with a diverse set of stakeholders from around the world representing private industry, the public sector, academia and civil society over a yearlong open and transparent development process," explained Dylan Gilbert, a privacy engineering program lead at NIST, when the framework launched.

Noting a rise in cyberattacks affecting healthcare organizations in 2022, the U.S. Department of Health and Human Services published guidance on strengthening cyber posture, while NIST offered guidance to improve HIPAA Security Rule compliance, which has since been withdrawn with CFS 2.0 finalized.

ON THE RECORD

"This is a modest but significant update," said Julie Chua, NIST’s Applied Cybersecurity Division director, in a statement. "The PFW can be used on its own to manage privacy risks, but we have also maintained its compatibility with CSF 2.0 so that organizations can use them together to manage the full spectrum of privacy and cybersecurity risks."

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.

More regional news

Regina Foley, RN, of Hackensack Meridian Health on virtual nursing
Virtual nursing at Hackensack Meridian Health is making nurses and patients happy
By Bill Siwicki |
A doctor assessing a chest X-ray scan
Queensland research developing wearable X-ray for kids and more briefs
By Adam Ang |
Epic AI agent offers patient appointment scheduling by SMS text
Epic gives sneak peek of new AI tool for SMS appointment scheduling
By Andrea Fox |