The National Institute of Standards and Technology has published a new draft of its Privacy Framework, or PFW, enabling organizations to manage privacy risks posed by personal data passing through IT systems.

The updated PFW is designed to address existing privacy risk management requirements, maintain alignment with the revised Cybersecurity Framework, or CSF, and enhance usability, NIST said Monday. Failure to manage such risks could affect individuals and society and potentially damage organizations’ brands, bottom lines and growth prospects, the agency noted.

Managing Privacy Risks

Julie Anne Chua, director of the NIST’s applied cybersecurity division, described the release as “a modest but significant update.” “The PFW can be used on its own to manage privacy risks, but we have also maintained its compatibility with CSF 2.0 so that organizations can use them together to manage the full spectrum of privacy and cybersecurity risks,” she explained.

Notable Changes to Draft PFW

The draft PFW includes targeted changes to its core structure for alignment with the latest CSF version and a new section on AI and privacy risk management. The updated framework also moved its guidelines to the web, enabling users to readily access an interactive FAQ page that delivers quick answers. To complement the FAQ section, NIST established a PFW Learning Center that offers quick-start guides in several languages and features a video discussing the draft updates.

NIST is soliciting public comments on the draft and will accept submissions until June 13.

Join the Potomac Officers Club’s 2025 Cyber Summit on May 15 to discover innovative cyber technologies for a secure and resilient public sector. Register now to attend this important event!

The Department of Justice has released new guidance, frequently asked questions and an enforcement policy to facilitate the implementation of a national security program that seeks to prevent foreign adversaries from accessing and exploiting U.S. government-related data and bulk sensitive personal data.

DOJ said Friday the National Security Division, or NSD, implements the Data Security Program to prevent Russia, China, Iran and other countries of concern from gaining access to U.S. government data and Americans’ sensitive personal information. This is to prevent them from conducting surveillance and counterintelligence, building AI and military capabilities and performing espionage and other activities that undermine U.S. national security.

The DOJ in December issued a final rule to implement a regulatory program aimed at addressing potential national security threats resulting from foreign adversaries’ malicious use of sensitive data. This was part of the department’s compliance with an executive order.

Data Security Program Compliance Guide

The compliance guide describes best practices for complying with the Data Security Program, which took effect on April 8. It offers guidance on key definitions and the requirements for establishing a robust data compliance program.

The document also offers information on prohibited and restricted transactions, provides model contractual language and recommends best practices for complying with the program’s recordkeeping and audit requirements.

Meanwhile, the FAQs provide information on processes for requesting licenses and advisory opinions, reporting rejected transactions and disclosing program violations.

Implementation & Enforcement Policy

Under the implementation and enforcement policy, NSD will not prioritize civil enforcement actions against any individual for violations of the Data Security Program that occur from April through July 8, provided that the person engages in efforts to comply with the program. NSD expects individuals and entities to be in full compliance with the program at the end of the 90-day period.

The policy also delays certain affirmative due-diligence obligations, which do not go into effect until Oct. 6, to provide entities and individuals more time to comply with the program.