Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Other (Initial Public Draft)

NIST Privacy Framework: An Enterprise Risk Management Tool

Date Published: April 30, 2019
Comments Due: No closing date (ongoing comment period)
Email Comments to:


National Institute of Standards and Technology


The NIST Privacy Framework Discussion Draft is provided for discussion purposes to promote the development of the NIST Privacy Framework: An Enterprise Risk Management Tool. NIST will use feedback on this discussion draft to develop a preliminary draft of the framework.

  • Structure: Based on stakeholder feedback, this discussion draft is aligned with the structure of the Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) to support compatibility between the two frameworks. Feedback also supported use of additional organizing constructs referenced in NIST's Request for Information, such as privacy principles (e.g., the Fair Information Practice Principles), the information life cycle, and the NIST privacy engineering objectives (i.e., predictability, manageability, disassociability) or other constructs. NIST welcomes feedback on how well these concepts have been integrated, as well as whether the Privacy Framework could be effectively implemented independently or in conjunction with the Cybersecurity Framework.
  • Privacy Risk Management: Based on feedback indicating a lack of a consistent or widespread understanding of privacy risks and privacy risk management, this discussion draft provides guidance on these topics in section 1.2 and Appendix D. NIST welcomes feedback on whether this guidance will be useful to organizations.
  • Core: This discussion draft provides a proposed Core, including functions, categories, and subcategories. NIST welcomes feedback on the Core, particularly regarding (i) gaps in, clarifications to, or usefulness of the categories and subcategories, (ii) organization of the functions, categories, and subcategories, and (iii) areas that need further development and may be more appropriate for the Roadmap section in Appendix F.
  • Informative References: This discussion draft defines informative references as specific sections of standards, guidelines, and practices that can be mapped to the Core subcategories and support achievement of the subcategory outcomes. In an effort to increase contributions of informative references and simplify updating, NIST is providing a mapping of the Core to relevant NIST guidance as a separate, companion document to this discussion draft. In addition, NIST will develop a process for accepting external informative references. NIST welcomes feedback regarding this approach to informative references.
  • Overall Discussion Draft: In general, NIST is interested in whether the Privacy Framework as proposed in this discussion draft could be readily usable as part of an enterprise's broader risk management processes and scalable to organizations of various sizes—and if not, how it could be improved to suit a greater range of organizations.

Although these highlight key areas of interest, all feedback is welcome. Please consider using our comment template spreadsheet to prepare and submit your comments.



privacy; privacy framework; risk management
Control Families

None selected


NIST Privacy Framework (Discussion Draft) (pdf)

Supplemental Material:
Comment template (optional) (xlsx)
NIST Privacy Framework project

Document History:
04/30/19: Other (Draft)
09/09/19: Other (Draft)
01/16/20: CSWP 10 (Final)


Security and Privacy

privacy engineering, risk management


cybersecurity framework