The NIST Privacy Framework celebrated its third birthday this year, and like any growing child, the framework is learning, growing, and adapting! The NIST Privacy Framework is a flexible tool modeled after the Cybersecurity Framework that organizations can apply in a variety of ways, such as establishing or improving a privacy program, designing privacy into products and services to build better consumer trust, and facilitating current compliance obligations. The Privacy Framework recognizes that the world of privacy is diverse, interdisciplinary, and constantly evolving.
Just as we learn from experiences, the NIST Privacy Framework has gathered invaluable lessons from implementations across industries. Since its original publication in January 2020, the NIST Privacy Framework has been published in five different languages and engaged privacy practitioners across the globe.
The NIST Privacy Workforce Working Group
The NIST Privacy Framework Roadmap recognizes that the benefits of using the Privacy Framework are enhanced when organizations have a knowledgeable and skilled privacy workforce. To support this, National Institute of Standards and Technology (NIST) established the Privacy Workforce Public Working Group (PWWG). The PWWG is a community of professionals from diverse backgrounds, including the general public, private industry, the public sector, academia, and civil society that is united under a shared goal – to nurture and develop a skilled privacy workforce. The PWWG plays a key role in the privacy landscape. It is the village that helps raise the child – in this case – the Privacy Framework, and as a result, the PWWG plays a key role in the privacy community.
Task, Knowledge, and Skill Statements
A critical first step is the development of a privacy workforce taxonomy to support organizations as they implement the Privacy Framework. The PWWG is responsible for creating Task, Knowledge, and Skill (TKS) Statements aligned with the NIST Privacy Framework and the National Initiative for Cybersecurity Education (NICE) Workforce Framework for Cybersecurity. This taxonomy will establish a common language, providing clarity on what is required to achieve desired privacy outcomes. TKS statements can be leveraged to support workforce recruitment and development through consistent position descriptions that attract the attract the right talent with the right skills and by informing education and training programs that can align their curriculum with the taxonomy.
To ensure a consistent approach across the NIST Privacy Framework Functions, Categories, and Subcategories, the PWWG adheres to the following guidelines when drafting TKS statements:
- Flexible: The statements can be applied or combined in various ways to address different local circumstances and needs.
- Consistent: The statements are drafted following common rules to ensure that they align with other statements in the building block category and can be used in a uniform manner.
- Clear: The statements are easy to read and understand, and not overly complex or lacking clarity.
- Affirmative: The statements are structured in an affirmative (i.e., grammatically positive) form in contrast to grammatically negative statements that use language such as “do not” or “avoid”.
- Discrete: The statements should not include more than one (compound) idea.
PWWG Project Teams
The PWWG comprises of short-term Project Teams that are responsible for creating TKS Statements aligned with a specific Category (and its associated Subcategories) in the Privacy Framework Core. Each Team consists of volunteer Team Leads and members who meet independently and reports out at the PWWG monthly meetings.
As one of the Team Leads for Project Team 7, I facilitate the discussion of the Awareness and Training Category under the Govern Function and lead the development of TKS statements for each subcategory.
Awareness and Training (GV.AT-P): The organization’s workforce and third parties engaged in data processing are provided privacy awareness education and are trained to perform their privacy-related duties and responsibilities consistent with related policies, processes, procedures, and agreements and organizational privacy values.
- GV.AT-P1: The workforce is informed and trained on its roles and responsibilities.
- GV.AT-P2: Senior executives understand their roles and responsibilities.
- GV.AT-P3: Privacy personnel understand their roles and responsibilities.
- GV.AT-P4: Third parties (e.g., service providers, customers, partners) understand their roles and responsibilities.
How Can You Support the PWWG?
The NIST Privacy Framework has come a long way in a brief time, and its journey continues. The PWWG is a dedicated village of professionals working together to nurture a skilled privacy workforce, recognizing that privacy is a shared responsibility that involves us all. It's interdisciplinary, and it "takes a village." What works for one organization may not work for another, and everyone has a unique perspective to share.
The PWWG's work is ongoing, and there are several ways you can get involved and support this vital initiative:
- Join the PWWG: Attend the monthly meetings to stay up to date with the latest developments. During these sessions, teams will brief the audience on their work over the past month.
- Participate in Project Teams: You can sign up for Teams six (Risk Management Strategy), seven (Awareness and Training), or eight (Data Processing Management), which are actively working on tasks. If you're interested in other aspects of privacy, consider joining upcoming teams set to kick off in September/October, such as Team nine (Monitoring and Review), Team 10 (Disassociated Processing), and Team 11 (Data Processing Awareness).
- Adopt the Privacy Framework: Reach out and ask me about the NIST Privacy Framework or tell me about your own experiences!
By supporting these efforts, we can help shape a future where privacy is protected, respected, and upheld regardless of industry or sector.
Growing a Diverse Workforce in Cybersecurity
With the National Cyber Strategy Workforce Development Implementation strategy release just around the corner, the conversation around increasing diversity within the cybersecurity industry has never been more prevalent.
Diverse Perspectives, Stronger Defenses: Growing the Cyber Workforce Through Diversity
The demand for cybersecurity professionals far outstrips the supply and the need to fill these positions will only grow. The necessity of a strong, diverse workforce to fill these positions is critical to protecting the public and private sectors.
Landmark SEC rule requires cybersecurity risk and incident disclosures
The wait is over. The Securities and Exchange Commission (SEC) has issued a final rule to enhance and standardize disclosures regarding cybersecurity risk management, governance, and incidents by all companies that are publicly traded.