As government contractors implement the DFARS cybersecurity contract clause (DFARS 252.204-7012) and await the expected Federal Civilian-wide clause, other U.S. companies are figuring out the impact and requirements of the EU General Data Protection Regulation (GDPR).

Meanwhile, the U.S. Government (both executive branch and Congress) are moving out smartly on new privacy requirements, driven by the Facebook breach and new state laws relating to data privacy.  So you shouldn’t exhaust your network configuration budget without anticipating the impact of these new requirements.

Today we look at NIST’s efforts to develop a new Privacy Framework to supplement its widely used Cybersecurity Framework.  Some key facts:

  • The NIST Request for Information (RFI) was published on November 14, 2018 and Frequently Asked Questions are available at https://www.nist.gov/privacy-framework/frequently-asked-questions,
  • Comments are due by December 31, 2018 and a live webinar on the RFI was held on November 29, 2018.
  • NIST intends for the Privacy Framework to provide a prioritized, flexible, risk-based, outcome-based and cost effective risk management framework that will be voluntary and non-prescriptive and compatible and usable with other enterprise privacy approaches.
  • It is related to, but separate from, the Department of Commerce’s National Telecommunications and Information Administration request for comments on consumer privacy, which we will discuss in our next newsletter.

Berenzweig Leonard  is teaming up with Red Team Consulting for a monthly newsletter featuring upcoming contracts, key protest decisions, events, and more. This post was published in the December 2018 Monthly Insights newsletter. To sign up for Monthly Insights, please click here.

Steve Britt is a Partner at Berenzweig Leonard and leads the firm’s Cybersecurity Law practice. Steve can be reached at [email protected]