On May 10, 2023, the National Institutes of Standards and Technology (NIST) released Revision 3 to its foundational publication, 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The publication provides guidelines for protecting sensitive unclassified information in contractor systems, and these guidelines establish the baseline cybersecurity requirements for federal defense contractors.
National Institute of Standards and Technology (NIST)
UPDATED FOR COLORADO: What is considered sensitive personal information?
Some privacy statutes explicitly reference “sensitive” or “special” categories of personal information. While such terms, when used, often include similar data types that are generally considered as raising greater privacy risks to data subjects if disclosed, the exact categories that fall under those rubrics differ between and among statutes. Furthermore, other privacy statutes do not…
Does the NIST privacy framework require that companies score themselves?
No. The NIST privacy framework recommends that companies summarize their maturity with respect to each category by using four “Tiers.” The Tiers are intended to describe whether the current practices of the company with respect to the domain are partially in place (Tier 1), risk informed (Tier 2), repeatable (Tier 3), or adaptive (Tier 4).…
What is a profile in the context of the NIST privacy framework?
The NIST privacy framework refers to the term “current profile” to describe the current state of a company’s privacy program in relation to a specific Subcategory. So, for example, a company might include the following description in its current profile for the following subcategory:
Subcategory | Current Profile |
ID.IM-P1: Systems/products/services that process data are inventoried. | The |
…
How many core subcategories are included in the NIST privacy framework?
The NIST privacy framework refers to the term “core” to describe a set of privacy activities and outcomes. The core is composed of three nested levels: Function, Category, and Subcategory. Subcategory is the most granular, and tangible, aspect of the core. In total, the NIST privacy framework proposes 100 Subcategories. It should be noted, however,…
How many core categories are included in the NIST privacy framework?
The NIST privacy framework refers to the term “core” to describe a set of privacy activities and outcomes. The core is composed of three nested levels: Function, Category, and Subcategory. Categories are intended to be subdivisions of the Functions, and groupings of the Subcategories. In total, the NIST privacy framework contains 18 Categories.
Does ISO 27701 adopt different terminology than ISO 29100?
No. ISO 27701 utilizes the same terms, definitions, and abbreviations as ISO 29100.
How many core functions does the NIST privacy framework identify?
The NIST privacy framework refers to the term “core” to describe a set of privacy activities and outcomes. The core is composed of three nested levels: Function, Category, and Subcategory. The core “Function” is the broadest category level and consists of five recommended Functions: Identify, Govern, Control, Communicate, and Protect.
What is the NIST privacy ‘core’?
The NIST privacy framework refers to the term “core” to describe a set of privacy activities and outcomes. The core is composed of three nested levels: Function, Category, and Subcategory. So, for example, the concept that a data subject should have the right to access their personal information is found within NIST under the Core…
What is the NIST privacy framework?
In 2020, the National Institute of Standards and Technology, a part of the United States Department of Commerce, developed a privacy framework that was intended to help organizations identify and manage privacy risks. Like the ISO 29100 privacy framework that predated it, the NIST privacy framework is designed to provide common terminology to communicate privacy-related …