Harmless Systems

There is no such thing as harmless software.

At a Glance: NIST Privacy Framework

In January NIST released the Privacy Framework Version 1.0 and it couldn't have come soon enough. The somewhat overloaded term "Privacy" is a hot topic right now with new laws being passed, breaches happening one right after the other, and no shortage of companies trying to hop on the privacy bandwagon without any standardized measurements to support or convey their claims.

The framework doesn't solve all of these problems but it does offer a foundation and common language from which to build. Organizations can use it to help identify and prioritize actions for reducing privacy risks, assist in fulfilling compliance obligations, and formalize existing practices.

road sign with all-seeing eye


The Privacy Framework is composed of three parts: "Core", "Profiles", and "Implementation Tiers" and is modeled after the NIST Cybersecurity Framework. Crosswalks are being developed to map details in the framework to laws, regulations, and standards to help organizations understand what parts of the framework are most relevant to their requirements.


The core defines a set of privacy-related activities with increasing granularity and consists of "Functions", "Categories", and "Subcategories". It's important to note that an organization doesn't need to concern itself with every activity in the core. An organization should pick from and extend the items in the core to create a custom "Profile" best suited to the organization's needs. An organization is also free to create their own functions, categories, and subcategories as needed.

One function of the core is "Identify-P", which is defined as: "Develop the organizational understanding to manage privacy risk for individuals arising from data processing." The image below is an illustration of the Identify-P function broken down into its categories and subcategories.

Identify-P Function breakdown


A profile can roughly be summarized as an organization’s current and target privacy posture. The items in the profile are taken from the core, or the organization's custom functions, categories, and subcategories.

NIST understands that identifying and achieving improved privacy goals is not a "big bang" event and have addressed this in their design of the framework. This real-world awareness is likely due to the fact they've worked with the community in building the framework and more than 50 organizations have provided suggestions on how to improve the privacy framework.

Profile relation ships

Implementation Tiers

There are four distinct tiers:

  • Tier 1: Partial
  • Tier 2: Risk Informed
  • Tier 3: Repeatable
  • Tier 4: Adaptive

Each tier describes an increasingly mature phase of implementation. NIST does not expect every organization to achieve every tier but only the tiers that make sense for their use-cases.

Some Ideas to Increase Adoption

The framework is still young but I'm interested to see if any developer-focused tools are created to work with the framework. Getting developer buy-in and awareness would be beneficial. For example, a tool that uses your profiles to help build out a draft privacy policy for a new application or a tool that parses docblocks (sourcecode documentation with annotations) to create a draft privacy risk assessment.

Take the following pseudocode for example:

 * Create a new user.
 * @param string  $email   User's email address
 * @param array   $groups  User's groups.
 * @return bool
 * @privacy-framework ID.IM-P3 Groups are users, employees, and admins.
 * @privacy-framework ID.IM-P5 Email is required to send password reset 
 *   and notification emails.
 * @privacy-framework ID.RA-P3 If we disclose that an email already exists
 *   in the system are we exposing information?
public function createUser(string $email, array $groups) : bool {

This sort of approach would require the developers to have some knowledge of the privacy framework or security and privacy professionals to be familiar enough with the code to make appropriate annotations (neither of which sound like terrible things but may not be practical for all organizations.) A cheat sheet and a brief overview would probably be enough to get most developers started. I'm excited to see what's next!

If you're wondering where to get started, I'd suggest looking at the hypothetical use cases on NIST's website first then read through the Privacy Framework itself. If your business needs assistance in adopting the Privacy Framework, contact us and we'll get you going.