From their site:
"The NIST Privacy Framework is a voluntary tool developed in collaboration with stakeholders intended to help organizations identify and manage privacy risk to build innovative products and services while protecting individuals’ privacy."
What is a voluntary tool? Beats me.
Who are the stakeholders? Beats me.
Help organizations to manage risk. What kind of risk? Whose privacy?
yadda yadda yadda.. Run on sentence.
My take away: NIST needs to hire writers.
This is something that organizations can choose to use. We are a standards body, not a regulatory agency.
> developed in collaboration with stakeholders
We actually talked to people who need and use standards of this sort. We integrated their feedback.
> intended to help organizations identify and manage privacy risk
The goal is to help organizations understand the chances they are taking with private data.
> build innovative products and services while protecting individuals’ privacy
While still being able to actually make use of the data to accomplish goals that matter in some way.
----
Basically, this is completely comprehensible to most people and organizations who expect to be making use of this sort of standard. Like any technical document, it has a specialized vocabulary. It is not written for, and should not be judged by, the prose expectations of the general population.
NIST has writers. They are technical writers who are writing technical documentation intended for technical readers. We should calibrate our expectations accordingly.
I agree full stop. Would like to know background of parent poster just to understand his motivation for criticizing.
Was he writing with negative approach just because he can or he just failed to get the meaning between the lines because he is not the target audience?
At a guess, not the target audience combined with a failure to recognize it as a technical document. The latter is completely understandable. NIST uses words that can be found in daily business use, but they take on technical meanings.
I disagree. It's a overly wordy and imprecise read for the kind of person who is the target audience (which is what "technical" means here). Further, this sort of translation only works on this particular snippet because it's an introduction and statement of purpose. The policy details would not translate nearly so well or coherently.
You may as well request that IETF RFCs be rendered into lay language. You can do it, but it would likely make them much less useful as specifications.
I can imagine the benefit of having this as a reference, instead of needing to have meetings across departments and levels to negotiate who's responsible for what, in an open-ended way.
Thanks to NIST for providing a Schelling point for appropriate coordination to uphold privacy, and a scaffold of reasonable good, reasonably thorough thinking about how to appropriately handle privacy, and the general roles of everyone involved in a coherent effort inside or outside an enterprise. Raising the water line!
"Voluntary tool" means other federal agencies are not required to adopt it. "Developed in collaboration with stakeholders" means this was not 100% internally developed at NIST.
The rest of your questions are answered in the FAQ.
It's not a run-on sentence; it's just a long one, and if you're looking for a way to ensure your users' privacy while building a computer-oriented service, that executive summary tells you enough to decide whether this is something you want to further investigate. Drive-by web forum commentators, in general, are not considered target audience for these documents.
NIST is a government organization, and it helps to explain that this is a tool provided by government for your discretionary use; it is not a regulatory framework.
It doesn't take a genius to understand what a voluntary tool/framework is. Like many of the NIST frameworks including the well known cyber security framework, these aren't mandated by NIST to be used.
But that organisations globally can use the framework in uplifting or driving improved measures around privacy.
If you go to the NIST website and read it, you will have all of your questions clearly answered.
This one is in the tl;dr HN uninformed expert Hall of Fame. Did you click even one level down? NIST is a standards organization whose usually very careful work is to provide frameworks for people to make products, make business decisions, and create entire industries. It's not a single Github repo you can clone or a blog post can can dissect. The companies, researchers, and organizations that will use this framework understand it and will I am sure be able to use it and suggest areas of improvement.
If you were there when we were writing that copy back in 2005, you could have schooled us in how not to write like a LLM that hadn't been invented yet.
Also, the copy you're referring to was written by a contractor, not "a bureaucrat."
NIST doesn’t make any regulations, it’s a standards and metrology agency. Is there something specific in this framework that you think benefits big tech (or some other parties) but is not in the best interest of the public?
FedRAMP, StateRAMP, and CMMC are entirely based on NIST Standards. If you want to do business with the federal, state or local government you will need to comply with these regulations (Soon, these programs are being rolled out)
Edit: Granted, OP obviously has no idea what they're talking about. They are very forward thinking methods for ensuring a zero trust network, communications and data exchange. They include very explicit controls and requirements for maintaining data security.
My understanding was that NSA was the bad actor here. Not NIST. They intentionally withheld information about a timing vulnerability in an encryption algorithm that was being evaluated for standardization by NIST.
We’ll see once Bernstein v NIST[1] settles, though I’m willing to accept that was normal bureaucratic apathy and inertia rather than anything nefarious. Still, if we change “trust NIST [not to be evil]” to “trust NIST’s processes [not to be exploitable by evil]”, I’m not at all reassured. It pays to remember the backdoor was not at all unknown[2] even before the standard entered NIST from ANSI.
Honestly, the whole debacle with making NIST be in charge of (civilian) cryptography makes me more than a little bit sad. Originally, it’s a metrology institution. Metrologists (worldwide) are a very small circle of narrow-focused (and not outrageously well-paid) specialists that usually react to anybody being interested in their field with the kind of joy most often encountered in small fluffy animals. (They are similar to archivists, observational astronomers, or invertebrate biologists in that way.) Now it seems as though the whole enterprise in the US has become tainted by the association with the national security behemoth.
If it were not for the fact that this has happened multiple times, and that each time the cryptography community was openly skeptical, I could believe "normal bureaucratic apathy and inertia."
Bernstein vs. NIST is just a FOIA suit, about an open standards contest where all the participants were public academics. It's not going to uncover the next BULLRUN.
I don’t really expect it to (and the known situation is bad enough already that I don’t expect much would change even if it did).
But I do hope it’ll shed some light on the entanglement (pun not intended) between the NSA and whatever process drives NIST’s crypto publications. There obviously has to be some, given the former is the US government crypto expert and the other is the issuer of public documents on US government crypto. But as a data point for NIST’s credibility, it’d be nice to know how screwed up it is there. Maybe I won’t learn anything about that here either? Dunno.
If you're going to blame NIST for what NSA did in this case - you might as well say "don't even trust anyone for digital privacy" since the NSA already collects literally everything from everyone.
I think the implication that NIST lacks integrity is unfair.
You do understand this is a non-obligatory guidance document, right? You can continue to not read nor understand it and no one will be any the wiser. The NSA will almost certainly not put you on a blacklist someplace (no promises and all that). Then you can google "privacy framework" to find a wealth of other non-obligatory guidance documents more to your liking (most of which will reference a NIST document or two someplace, so be careful).
You're out of line, and the point they (and I) were making is that if you can't read this document and analyze it with your human mind to guide an organization's privacy policies, then you shouldn't be in the biz.
One's privacy policies can be built on, but not limited to, this document. Again, this isn't a deep technical spec like a crypto algo, that only a handful of people are qualified to analyze, upon which your entire org rests.
The disagreement here is you thinking that people are unable to process this for potential gaps, where others say you can.
Since I don't know who you are, who your perceived adversaries are or what your risk tolerance is, I'd be really disingenuous if I told you who you should trust given your concerns; for all you know I could be an NSA operative. So how precisely is "Google one that is more to your liking" being 'purposely obtuse'? Seems like pretty clear, unambiguous advice since there are dozens of possible options that only you can prioritize, but clearly that recommendation bruised your painfully thin skin.
What is a voluntary tool? Beats me. Who are the stakeholders? Beats me. Help organizations to manage risk. What kind of risk? Whose privacy? yadda yadda yadda.. Run on sentence. My take away: NIST needs to hire writers.