From their site:
"The NIST Privacy Framework is a voluntary tool developed in collaboration with stakeholders intended to help organizations identify and manage privacy risk to build innovative products and services while protecting individuals’ privacy."
What is a voluntary tool? Beats me.
Who are the stakeholders? Beats me.
Help organizations to manage risk. What kind of risk? Whose privacy?
yadda yadda yadda.. Run on sentence.
My take away: NIST needs to hire writers.
This is something that organizations can choose to use. We are a standards body, not a regulatory agency.
> developed in collaboration with stakeholders
We actually talked to people who need and use standards of this sort. We integrated their feedback.
> intended to help organizations identify and manage privacy risk
The goal is to help organizations understand the chances they are taking with private data.
> build innovative products and services while protecting individuals’ privacy
While still being able to actually make use of the data to accomplish goals that matter in some way.
----
Basically, this is completely comprehensible to most people and organizations who expect to be making use of this sort of standard. Like any technical document, it has a specialized vocabulary. It is not written for, and should not be judged by, the prose expectations of the general population.
NIST has writers. They are technical writers who are writing technical documentation intended for technical readers. We should calibrate our expectations accordingly.
I agree full stop. Would like to know background of parent poster just to understand his motivation for criticizing.
Was he writing with negative approach just because he can or he just failed to get the meaning between the lines because he is not the target audience?
I can imagine the benefit of having this as a reference, instead of needing to have meetings across departments and levels to negotiate who's responsible for what, in an open-ended way.
Thanks to NIST for providing a Schelling point for appropriate coordination to uphold privacy, and a scaffold of reasonable good, reasonably thorough thinking about how to appropriately handle privacy, and the general roles of everyone involved in a coherent effort inside or outside an enterprise. Raising the water line!
"Voluntary tool" means other federal agencies are not required to adopt it. "Developed in collaboration with stakeholders" means this was not 100% internally developed at NIST.
The rest of your questions are answered in the FAQ.
It's not a run-on sentence; it's just a long one, and if you're looking for a way to ensure your users' privacy while building a computer-oriented service, that executive summary tells you enough to decide whether this is something you want to further investigate. Drive-by web forum commentators, in general, are not considered target audience for these documents.
NIST is a government organization, and it helps to explain that this is a tool provided by government for your discretionary use; it is not a regulatory framework.
It doesn't take a genius to understand what a voluntary tool/framework is. Like many of the NIST frameworks including the well known cyber security framework, these aren't mandated by NIST to be used.
But that organisations globally can use the framework in uplifting or driving improved measures around privacy.
If you go to the NIST website and read it, you will have all of your questions clearly answered.
This one is in the tl;dr HN uninformed expert Hall of Fame. Did you click even one level down? NIST is a standards organization whose usually very careful work is to provide frameworks for people to make products, make business decisions, and create entire industries. It's not a single Github repo you can clone or a blog post can can dissect. The companies, researchers, and organizations that will use this framework understand it and will I am sure be able to use it and suggest areas of improvement.
NIST doesn’t make any regulations, it’s a standards and metrology agency. Is there something specific in this framework that you think benefits big tech (or some other parties) but is not in the best interest of the public?
FedRAMP, StateRAMP, and CMMC are entirely based on NIST Standards. If you want to do business with the federal, state or local government you will need to comply with these regulations (Soon, these programs are being rolled out)
Edit: Granted, OP obviously has no idea what they're talking about. They are very forward thinking methods for ensuring a zero trust network, communications and data exchange. They include very explicit controls and requirements for maintaining data security.
Readit News
What is a voluntary tool? Beats me. Who are the stakeholders? Beats me. Help organizations to manage risk. What kind of risk? Whose privacy? yadda yadda yadda.. Run on sentence. My take away: NIST needs to hire writers.
> The NIST Privacy Framework is a voluntary tool
This is something that organizations can choose to use. We are a standards body, not a regulatory agency.
> developed in collaboration with stakeholders
We actually talked to people who need and use standards of this sort. We integrated their feedback.
> intended to help organizations identify and manage privacy risk
The goal is to help organizations understand the chances they are taking with private data.
> build innovative products and services while protecting individuals’ privacy
While still being able to actually make use of the data to accomplish goals that matter in some way.
----
Basically, this is completely comprehensible to most people and organizations who expect to be making use of this sort of standard. Like any technical document, it has a specialized vocabulary. It is not written for, and should not be judged by, the prose expectations of the general population.
NIST has writers. They are technical writers who are writing technical documentation intended for technical readers. We should calibrate our expectations accordingly.
Was he writing with negative approach just because he can or he just failed to get the meaning between the lines because he is not the target audience?
https://www.nist.gov/privacy-framework/request-comment
And here is the PDF that should answer all of the other questions you have:
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.01162020.pd...
I can imagine the benefit of having this as a reference, instead of needing to have meetings across departments and levels to negotiate who's responsible for what, in an open-ended way.
Thanks to NIST for providing a Schelling point for appropriate coordination to uphold privacy, and a scaffold of reasonable good, reasonably thorough thinking about how to appropriately handle privacy, and the general roles of everyone involved in a coherent effort inside or outside an enterprise. Raising the water line!
The rest of your questions are answered in the FAQ.
It's not a run-on sentence; it's just a long one, and if you're looking for a way to ensure your users' privacy while building a computer-oriented service, that executive summary tells you enough to decide whether this is something you want to further investigate. Drive-by web forum commentators, in general, are not considered target audience for these documents.
NIST is a government organization, and it helps to explain that this is a tool provided by government for your discretionary use; it is not a regulatory framework.
But that organisations globally can use the framework in uplifting or driving improved measures around privacy.
If you go to the NIST website and read it, you will have all of your questions clearly answered.
Deleted Comment
Dead Comment
NIST generally doesn’t have any “power” that they can abuse - unless you consider any standards organization an abuse of sovereignty or some such
(pdf) https://harvardnsj.org/wp-content/uploads/2022/06/Vol13Iss2_...
Deleted Comment
Edit: Granted, OP obviously has no idea what they're talking about. They are very forward thinking methods for ensuring a zero trust network, communications and data exchange. They include very explicit controls and requirements for maintaining data security.
Dead Comment
The recent pentagon papers are nothing if not impressive of how deeply US intelligence is in just about every conversation that matters.
So can we trust NIST? As far as I know there have been concerns in the past that they have played ball and so have private security firms.
That said maybe a US backdoor is better than all round shoddy engineering?
I imagine something like this would be a great way to slip in a weak link.