NIST Privacy Framework 1.1 [Draft]: Key Changes and Enterprise Takeaways

The National Institute of Standards and Technology (NIST) has proposed updates to its Privacy Framework (PFW), reflecting the evolving landscape of cybersecurity, supply chain management, and artificial intelligence. This post summarizes key changes in Version 1.1 and offers insights for privacy program managers who are working with the NIST PFW. In particular, the changes align privacy risk management more closely with organizational governance and cybersecurity programs.

While the changes represent an iteration rather than a transformation, they emphasize critical areas of focus and transition in enterprise risk management, including:

1. Alignment between privacy and cybersecurity
2. Supply chain and the “data processing ecosystem”
3. Artificial intelligence

The PFW continues to support organizations in “deriving benefits from data while simultaneously managing risks to individuals’ privacy,” emphasizing ethical product design and deployment, resilient compliance strategies, and trust-building communication across stakeholders.

Alignment between Privacy and Cybersecurity

The close relationship between privacy and cybersecurity is a central theme of the proposed updates. There is no privacy without cybersecurity. As NIST explains, data protection is required “to prevent cybersecurity-related privacy events [privacy breaches], the overlap between privacy and cybersecurity risk management.” For this reason, NIST made two choices with the original PFW:

1. Embedding cybersecurity controls focused on preventing privacy breaches within the PFW via the “Protect” function, enabling the PFW to stand alone.
2. Aligning the PFW with the NIST Cybersecurity Framework (CSF), which addresses risks beyond breaches of personal data. This facilitates organizations wishing to implement both frameworks in tandem.

Updates to the PFW are necessary to align with evolving best practices. In February 2024, NIST published CSF 2.0, which was a major update to this framework. The proposed PFW updates integrate these significant CSF modifications. Practitioners implementing the PFW on a standalone basis benefit from updated industry best practices, while those aligning PFW-oriented privacy programs with CSF-based infosec programs benefit from a more harmonized approach.

NIST also encourages practitioners to recognize how the PFW "Protect" function may differ in scope or application from the CSF. Throughout the updated Protect controls, NIST explicitly emphasizes "data," underscoring the need to consider the protection of data specifically. Depending on how companies manage data, this scope may align with a typical CSF implementation or it may be more closely tied to vendor management.

Supply Chain and the “Data Processing Ecosystem”

When PFW 1.0 was released in 2020, data already crossed borders and business lines frequently. The framework addressed related risks through a discussion of the “data processing ecosystem,” a term used throughout the PFW and defined by NIST as “complex and interconnected relationships among entities involved in creating or deploying systems, products, or services or any components that process data.” 

Since then, these interconnections have only become more complex, as have the related risks. Accordingly, new language about managing interdependencies has been added to the PFW, closely reflecting similar CSF 2.0 language:

• ID.BE-P5: Objectives, capabilities, and services that stakeholders depend on or expect from the organization are identified, communicated, and understood.
• ID.BE-P6: Outcomes, capabilities, and services that the organization depends on are identified, communicated, and understood.
• GV.RM-P5: Lines of communication across the organization are established for privacy risks, including risks from data processing ecosystem parties.
• GV.DE-P1: Data processing ecosystem risk management strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders. 

Artificial Intelligence

NIST addresses the growing role of AI in privacy risk management through two proposed changes:

1. Removing ID.RA-P2 “Data analytic inputs and outputs are identified and evaluated for bias” with the comment “This Subcategory related to artificial intelligence systems is WITHDRAWN to keep PF 1.1 Core outcomes technology-neutral.”
2. Adding a description to the PFW introduction summarizing how the PFW can be used to manage privacy risks with respect to AI. This description emphasizes that outcomes identified throughout the framework can be applied to AI use cases and highlights the existence of the separate NIST AI Risk Management Framework.

These changes increase the adaptability of the PFW. Removing the AI-focused subcategory reduces any impression that PFW alone sufficiently addresses AI concerns. Meanwhile, the discussion of AI in the introduction encourages broader application of the framework across emerging technologies.

What PFW Updates Mean for Enterprise Risk Management

Sometimes the slightest changes are the most profound. NIST proposes adding one word to GV.PO-P6: “Governance and enterprise risk management policies, processes, and procedures address privacy risks.”

Many enterprise risk management programs incorporate cybersecurity and assume that lens will cover privacy concerns. While the PFW updates emphasize alignment with CSF 2.0, important differences remain in purpose, perspective, and outcomes . Recognizing these distinctions is critical to mitigating risk to end users and to the business. Given the increasingly interconnected nature of third-party partnerships and the widespread adoption of AI, embedding privacy risk into enterprise risk management programs has never been more urgent. 

Overall, the proposed updates to the PFW are pragmatic reflections of changes in the risk landscape and industry best practices. NIST anticipates finalizing the PFW 1.1 updates before the end of 2025. For more details on the proposed changes or to comment on the draft (comments open through June 13, 2025), visit NIST’s post here.

However, organizations that do not yet incorporate privacy into enterprise risk management should consider adopting the current framework to start addressing risk today.

At Coalfire, we regularly work with partners on a variety of privacy assessments and frameworks. Our goal is to help you understand the purpose of the framework, prioritize the controls that are the most important for your specific environment, and align on a remediation roadmap that reduces risk.