We are encouraged to see NIST building on the model of the highly successful Cybersecurity Framework CSF to address privacy and data protection concerns. The CSF has proved the power of the model—i.e., a standards-based, process-oriented framework for managing risk. While the subjects of privacy and security are in many ways distinct, there are sufficient areas of overlap such that coordination in risk-management efforts within and between organizations is necessary. Cisco therefore, urges NIST to adopt an approach consistent with the CSF when developing the Privacy Framework, which will maximize both interoperability and uptake of the two frameworks.
At Cisco past is rooted in connectivity, and our future is being built around it. Our people, products, and partners help society securely connect and seize tomorrow’s digital opportunity today. Given that so much of our technology is dependent on data, we agree with NIST’s assessment that more must be done to accelerate the advancement of technology engineered with privacy and security in mind, by design, and by default.
More must be done to accelerate the advancement of technology engineered with privacy and security in mind, by design, and by default
The development of a Privacy Framework can help spur the market to proactively engineer privacy controls into technologies. The resulting approach should positively impact data protection and privacy much in the same way that the development of the CSF drove adoption of risk-based processes for cybersecurity. This effort is intended to manage risks that are distinct from those addressed in the Cybersecurity Framework. The standards and controls included in the “informative references” will be different. However, we recommend that the new document be developed with the explicit intent of enabling interoperability between privacy and security risk management—and, therefore with the CSF—wherever possible. We look forward to working with NIST and the community of stakeholders on the advancement of this important project.