├── .github └── ISSUE_TEMPLATE │ ├── config.yml │ ├── verification.md │ └── feedback.md ├── resources ├── PII Inventory Dashboard │ ├── AIC meeting deck.pdf │ └── contribution-form.md ├── NIST PRAM Tool │ ├── Tool Resource - NIST PRAM_mapping.xlsx │ └── contribution-form.md ├── CCPA Crosswalk │ ├── NIST Privacy Framework to CCPA crosswalk.xlsx │ └── contribution-form.md ├── NIST SP 800-53 Crosswalk │ ├── csf-pf-to-sp800-53r5-mappings.xlsx │ └── contribution-form ├── VDCPA Crosswalk │ ├── NIST Privacy Framework to VDCPA crosswalk.xlsx │ └── Contribution-Form.md ├── LGPD Crosswalk │ ├── Resource Privacy Framework to LGPD crosswalk.xlsx │ └── contribution-form.md ├── NISTIR 8062 Guidance │ ├── Guidance Resource - NISTIR_8062_mapping.xlsx │ └── contribution-form.md ├── CCPA Regulations Crosswalk │ ├── CCPA-Regs-to-SP800-53r5-to-pf-mappings.xlsx │ └── crosswalk-form.md ├── CCPA-CPRA Crosswalk │ ├── NIST Privacy Framework to CCPA-CPRA crosswalk.xlsx │ └── Contribution-Form.md ├── GDPR-Regulation 2016 679 │ ├── Resource Privacy Framework to GDPR crosswalk.xlsx │ └── crosswalk.md ├── NIST SP 800-37 Guidance │ ├── Guidance Resource - NIST SP 80037_Rev2_mapping.xlsx │ └── contribution-form.md ├── FIPPs Crosswalk │ ├── NIST-Privacy-Framework-Version1-Crosswalk-SLC- FIPPs-NIST PF.xlsx │ └── Contribution-Form.md ├── IAPP CIPM Crosswalk │ ├── NIST-Privacy-Framework-V1.0-Crosswalk-IAPP-CIPM_resource.xlsx │ └── contribution-form.md ├── z Archive │ └── NIST SP 800-53 Guidance │ │ ├── Guidance Resource - NIST SP 80053_IPD_mapping.xlsx │ │ └── contribution-form.md ├── ISO 27701 Crosswalk Microsoft │ ├── NIST-Privacy-Framework-Version1-Crosswalk-ISO-IEC 27701_Microsoft.xlsx │ └── Contribution form.md ├── AICPA TSC Crosswalk │ ├── NIST-Privacy-Framework-Version1-Crosswalk-AICPA-Trust-Services-Criteria-Mapping.xlsx │ └── contribution-form.md ├── Cybersecurity Framework Crosswalk │ ├── Crosswalk Resource- Cybersecurity Framework to NIST Privacy Framework.xlsx │ └── contribution-form.md ├── DPDPA Crosswalk │ ├── Decoding India Privacy Digital Personal Data Protection Act (DPDPA) 2023 Crosswalk to NIST.xls │ └── Contribution-Form.md ├── NIST SP 800-113 Guidance │ └── contribution-form.md ├── NIST SP 800-77 Guidance │ └── contribution-form.md ├── NIST SP 800-121 Guidance │ └── contribution-form.md ├── NIST Software Assurance Metrics and Tool Evaluation Tool │ └── contribution-form.md ├── NIST SP 800-61 Guidance │ └── contribution-form.md ├── NIST SP 800-115 Guidance │ └── contribution-form.md ├── National Software Reference Library Tool │ └── contribution-form.md ├── NISTIR 8053 Guidance │ └── contribution-form.md ├── NISTIR 8149 Guidance │ └── contribution-form.md ├── NIST SP 800-88 Guidance │ └── contribution-form.md ├── NIST Cryptographic Algorithm Validation Program Tool │ └── contribution-form.md ├── NIST SP 800-162 Guidance │ └── contribution-form.md ├── NIST SP 800-114 Guidance │ └── contribution-form.md ├── NIST SP 800-46 Guidance │ └── contribution-form.md ├── NIST Automated Combinatorial Testing for Software Tool │ └── contribution-form.md ├── NIST SP 800-84 Guidance │ └── contribution-form.md ├── NIST SP 800-34 Guidance │ └── contribution-form.md ├── NIST SP 800-30 Guidance │ └── contribution-form.md ├── FIPS 199 Guidance │ └── contribution-form.md ├── NISTIR 8112 Guidance │ └── contribution-form.md ├── NIST SP 800-188 Guidance │ └── contribution-form.md ├── NIST SP 800-63 Guidance │ └── contribution-form.md ├── NISTIR 7622 Guidance │ └── contribution-form.md ├── NIST SP 800-175B Guidance │ └── contribution-form.md ├── NIST SP 800-160 Vol 1 Guidance │ └── contribution-form.md ├── NIST SP 800-161 Guidance │ └── contribution-form.md ├── NIST SP 800-53A Guidance │ └── contribution-form.md ├── NIST SP 800-39 Guidance │ └── contribution-form.md ├── NISTIR 8011 Guidance │ └── contribution-form.md ├── Data Minimization for AI Tool │ └── contribution-form.md ├── Reference Architecture for Privacy Stack - Access Control │ └── guideline-tool-form.md ├── LINDDUN │ └── contribution-form.md ├── Reference Architecture for Privacy Stack - Data Fortification Tools │ └── guideline-tool-form.md ├── Reference Architecture for Privacy Stack - Data Discovery │ └── guideline-tool-form.md ├── Reference Architecture for Privacy Stack - Data Authoring Policies │ └── guideline-tool-form.md └── Reference Architecture for Privacy Stack - Permission Management │ └── contribution-form.md ├── CONTRIBUTING.md ├── contribution-forms ├── crosswalk-form.md └── Profile-form.md └── README.md /.github/ISSUE_TEMPLATE/config.yml: -------------------------------------------------------------------------------- 1 | blank_issues_enabled: false 2 | -------------------------------------------------------------------------------- /resources/PII Inventory Dashboard/AIC meeting deck.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/usnistgov/PrivacyFrmwkResources/HEAD/resources/PII Inventory Dashboard/AIC meeting deck.pdf -------------------------------------------------------------------------------- /resources/NIST PRAM Tool/Tool Resource - NIST PRAM_mapping.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/usnistgov/PrivacyFrmwkResources/HEAD/resources/NIST PRAM Tool/Tool Resource - NIST PRAM_mapping.xlsx -------------------------------------------------------------------------------- /resources/CCPA Crosswalk/NIST Privacy Framework to CCPA crosswalk.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/usnistgov/PrivacyFrmwkResources/HEAD/resources/CCPA Crosswalk/NIST Privacy Framework to CCPA crosswalk.xlsx -------------------------------------------------------------------------------- /resources/NIST SP 800-53 Crosswalk/csf-pf-to-sp800-53r5-mappings.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/usnistgov/PrivacyFrmwkResources/HEAD/resources/NIST SP 800-53 Crosswalk/csf-pf-to-sp800-53r5-mappings.xlsx -------------------------------------------------------------------------------- /resources/VDCPA Crosswalk/NIST Privacy Framework to VDCPA crosswalk.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/usnistgov/PrivacyFrmwkResources/HEAD/resources/VDCPA Crosswalk/NIST Privacy Framework to VDCPA crosswalk.xlsx -------------------------------------------------------------------------------- /resources/LGPD Crosswalk/Resource Privacy Framework to LGPD crosswalk.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/usnistgov/PrivacyFrmwkResources/HEAD/resources/LGPD Crosswalk/Resource Privacy Framework to LGPD crosswalk.xlsx -------------------------------------------------------------------------------- /resources/NISTIR 8062 Guidance/Guidance Resource - NISTIR_8062_mapping.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/usnistgov/PrivacyFrmwkResources/HEAD/resources/NISTIR 8062 Guidance/Guidance Resource - NISTIR_8062_mapping.xlsx -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/verification.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Annual Resource Verification 3 | about: For NIST to request annual contributor verification of resources. 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | -------------------------------------------------------------------------------- /resources/CCPA Regulations Crosswalk/CCPA-Regs-to-SP800-53r5-to-pf-mappings.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/usnistgov/PrivacyFrmwkResources/HEAD/resources/CCPA Regulations Crosswalk/CCPA-Regs-to-SP800-53r5-to-pf-mappings.xlsx -------------------------------------------------------------------------------- /resources/CCPA-CPRA Crosswalk/NIST Privacy Framework to CCPA-CPRA crosswalk.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/usnistgov/PrivacyFrmwkResources/HEAD/resources/CCPA-CPRA Crosswalk/NIST Privacy Framework to CCPA-CPRA crosswalk.xlsx -------------------------------------------------------------------------------- /resources/GDPR-Regulation 2016 679/Resource Privacy Framework to GDPR crosswalk.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/usnistgov/PrivacyFrmwkResources/HEAD/resources/GDPR-Regulation 2016 679/Resource Privacy Framework to GDPR crosswalk.xlsx -------------------------------------------------------------------------------- /resources/NIST SP 800-37 Guidance/Guidance Resource - NIST SP 80037_Rev2_mapping.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/usnistgov/PrivacyFrmwkResources/HEAD/resources/NIST SP 800-37 Guidance/Guidance Resource - NIST SP 80037_Rev2_mapping.xlsx -------------------------------------------------------------------------------- /resources/FIPPs Crosswalk/NIST-Privacy-Framework-Version1-Crosswalk-SLC- FIPPs-NIST PF.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/usnistgov/PrivacyFrmwkResources/HEAD/resources/FIPPs Crosswalk/NIST-Privacy-Framework-Version1-Crosswalk-SLC- FIPPs-NIST PF.xlsx -------------------------------------------------------------------------------- /resources/IAPP CIPM Crosswalk/NIST-Privacy-Framework-V1.0-Crosswalk-IAPP-CIPM_resource.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/usnistgov/PrivacyFrmwkResources/HEAD/resources/IAPP CIPM Crosswalk/NIST-Privacy-Framework-V1.0-Crosswalk-IAPP-CIPM_resource.xlsx -------------------------------------------------------------------------------- /resources/z Archive/NIST SP 800-53 Guidance/Guidance Resource - NIST SP 80053_IPD_mapping.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/usnistgov/PrivacyFrmwkResources/HEAD/resources/z Archive/NIST SP 800-53 Guidance/Guidance Resource - NIST SP 80053_IPD_mapping.xlsx -------------------------------------------------------------------------------- /resources/ISO 27701 Crosswalk Microsoft/NIST-Privacy-Framework-Version1-Crosswalk-ISO-IEC 27701_Microsoft.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/usnistgov/PrivacyFrmwkResources/HEAD/resources/ISO 27701 Crosswalk Microsoft/NIST-Privacy-Framework-Version1-Crosswalk-ISO-IEC 27701_Microsoft.xlsx -------------------------------------------------------------------------------- /resources/AICPA TSC Crosswalk/NIST-Privacy-Framework-Version1-Crosswalk-AICPA-Trust-Services-Criteria-Mapping.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/usnistgov/PrivacyFrmwkResources/HEAD/resources/AICPA TSC Crosswalk/NIST-Privacy-Framework-Version1-Crosswalk-AICPA-Trust-Services-Criteria-Mapping.xlsx -------------------------------------------------------------------------------- /resources/Cybersecurity Framework Crosswalk/Crosswalk Resource- Cybersecurity Framework to NIST Privacy Framework.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/usnistgov/PrivacyFrmwkResources/HEAD/resources/Cybersecurity Framework Crosswalk/Crosswalk Resource- Cybersecurity Framework to NIST Privacy Framework.xlsx -------------------------------------------------------------------------------- /resources/DPDPA Crosswalk/Decoding India Privacy Digital Personal Data Protection Act (DPDPA) 2023 Crosswalk to NIST.xls: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/usnistgov/PrivacyFrmwkResources/HEAD/resources/DPDPA Crosswalk/Decoding India Privacy Digital Personal Data Protection Act (DPDPA) 2023 Crosswalk to NIST.xls -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feedback.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feedback 3 | about: Share feedback and ask questions about resources in the repository. 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | Please include the following details about the resource in your “Issue” to ensure the contributor is informed about this feedback. 11 | 12 | **Resource identifier:** 13 | **Contributor’s GitHub username:** @[enter username] 14 | 15 | **Feedback:** 16 | -------------------------------------------------------------------------------- /resources/NIST SP 800-113 Guidance/contribution-form.md: -------------------------------------------------------------------------------- 1 | # Guidance & Tools Contribution Form 2 | 3 | **Contributor:** National Institute of Standards and Technology (NIST) 4 | 5 | **Contributor GitHub Username:** @kboeckl 6 | 7 | **Resource:** https://doi.org/10.6028/NIST.SP.800-113 8 | 9 | **Related Documentation:** n/a 10 | 11 | **Guidance/Tool Name:** NIST Special Publication 800-113, Guide to SSL VPNs 12 | 13 | **Relevant Core Classification:** Specific Subcategory: PR.AC-P3 14 | 15 | **Contributor Notes:** n/a 16 | -------------------------------------------------------------------------------- /resources/NIST SP 800-77 Guidance/contribution-form.md: -------------------------------------------------------------------------------- 1 | # Guidance & Tools Contribution Form 2 | 3 | **Contributor:** National Institute of Standards and Technology (NIST) 4 | 5 | **Contributor GitHub Username:** @kboeckl 6 | 7 | **Resource:** https://doi.org/10.6028/NIST.SP.800-77r1 8 | 9 | **Related Documentation:** n/a 10 | 11 | **Guidance/Tool Name:** NIST Special Publication 800-77, Revision 1, Guide to IPsec VPNs 12 | 13 | **Relevant Core Classification:** Specific Subcategory: PR.AC-P3 14 | 15 | **Contributor Notes:** n/a 16 | -------------------------------------------------------------------------------- /resources/NIST SP 800-121 Guidance/contribution-form.md: -------------------------------------------------------------------------------- 1 | # Guidance & Tools Contribution Form 2 | 3 | **Contributor:** National Institute of Standards and Technology (NIST) 4 | 5 | **Contributor GitHub Username:** @kboeckl 6 | 7 | **Resource:** https://doi.org/10.6028/NIST.SP.800-121r2 8 | 9 | **Related Documentation:** n/a 10 | 11 | **Guidance/Tool Name:** NIST Special Publication 800-121, Revision 2, Guide to Bluetooth Security 12 | 13 | **Relevant Core Classification:** Specific Subcategory: PR.AC-P3 14 | 15 | **Contributor Notes:** n/a 16 | -------------------------------------------------------------------------------- /resources/NIST Software Assurance Metrics and Tool Evaluation Tool/contribution-form.md: -------------------------------------------------------------------------------- 1 | # Guidance & Tools Contribution Form 2 | 3 | **Contributor:** National Institute of Standards and Technology (NIST) 4 | 5 | **Contributor GitHub Username:** @kboeckl 6 | 7 | **Resource:** https://samate.nist.gov/Main_Page.html 8 | 9 | **Related Documentation:** n/a 10 | 11 | **Guidance/Tool Name:** NIST Software Assurance Metrics and Tool Evaluation 12 | 13 | **Relevant Core Classification:** Specific Subcategory: CT.DM-P9 14 | 15 | **Contributor Notes:** n/a 16 | -------------------------------------------------------------------------------- /resources/NIST SP 800-61 Guidance/contribution-form.md: -------------------------------------------------------------------------------- 1 | # Guidance & Tools Contribution Form 2 | 3 | **Contributor:** National Institute of Standards and Technology (NIST) 4 | 5 | **Contributor GitHub Username:** @kboeckl 6 | 7 | **Resource:** https://doi.org/10.6028/NIST.SP.800-61r2 8 | 9 | **Related Documentation:** n/a 10 | 11 | **Guidance/Tool Name:** NIST Special Publication 800-61, Revision 2, Computer Security Incident Handling Guide 12 | 13 | **Relevant Core Classification:** Specific Subcategory: PR.PO-P7 14 | 15 | **Contributor Notes:** n/a 16 | -------------------------------------------------------------------------------- /resources/NIST SP 800-115 Guidance/contribution-form.md: -------------------------------------------------------------------------------- 1 | # Guidance & Tools Contribution Form 2 | 3 | **Contributor:** National Institute of Standards and Technology (NIST) 4 | 5 | **Contributor GitHub Username:** @kboeckl 6 | 7 | **Resource:** https://doi.org/10.6028/NIST.SP.800-115 8 | 9 | **Related Documentation:** n/a 10 | 11 | **Guidance/Tool Name:** NIST Special Publication 800-115, Technical Guide to Information Security Testing and Assessment 12 | 13 | **Relevant Core Classification:** Specific Subcategory: CT.DM-P9 14 | 15 | **Contributor Notes:** n/a 16 | -------------------------------------------------------------------------------- /resources/National Software Reference Library Tool/contribution-form.md: -------------------------------------------------------------------------------- 1 | # Guidance & Tools Contribution Form 2 | 3 | **Contributor:** National Institute of Standards and Technology (NIST) 4 | 5 | **Contributor GitHub Username:** @kboeckl 6 | 7 | **Resource:** https://www.nist.gov/software-quality-group/national-software-reference-library-nsrl 8 | 9 | **Related Documentation:** n/a 10 | 11 | **Guidance/Tool Name:** National Software Reference Library 12 | 13 | **Relevant Core Classification:** Specific Subcategory: CT.DM-P9 14 | 15 | **Contributor Notes:** n/a 16 | -------------------------------------------------------------------------------- /resources/NISTIR 8053 Guidance/contribution-form.md: -------------------------------------------------------------------------------- 1 | # Guidance & Tools Contribution Form 2 | 3 | **Contributor:** National Institute of Standards and Technology (NIST) 4 | 5 | **Contributor GitHub Username:** @kboeckl 6 | 7 | **Resource:** https://doi.org/10.6028/NIST.IR.8053 8 | 9 | **Related Documentation:** n/a 10 | 11 | **Guidance/Tool Name:** NIST Internal Report (NISTIR) 8053, De-Identification of Personal Information 12 | 13 | **Relevant Core Classification:** Specific Subcategories: CT.DP-P1, CT.DP-P2, CT.DP-P3, CT.DP-P4 14 | 15 | **Contributor Notes:** n/a 16 | -------------------------------------------------------------------------------- /resources/NISTIR 8149 Guidance/contribution-form.md: -------------------------------------------------------------------------------- 1 | # Guidance & Tools Contribution Form 2 | 3 | **Contributor:** National Institute of Standards and Technology (NIST) 4 | 5 | **Contributor GitHub Username:** @kboeckl 6 | 7 | **Resource:** https://doi.org/10.6028/NIST.IR.8149 8 | 9 | **Related Documentation:** n/a 10 | 11 | **Guidance/Tool Name:** NIST Interagency or Internal Report (NISTIR) 8149, Developing Trust Frameworks to Support Identity Federations 12 | 13 | **Relevant Core Classification:** Specific Subcategory: ID.DE-P4 14 | 15 | **Contributor Notes:** n/a 16 | -------------------------------------------------------------------------------- /resources/NIST SP 800-88 Guidance/contribution-form.md: -------------------------------------------------------------------------------- 1 | # Guidance & Tools Contribution Form 2 | 3 | **Contributor:** National Institute of Standards and Technology (NIST) 4 | 5 | **Contributor GitHub Username:** @kboeckl 6 | 7 | **Resource:** https://doi.org/10.6028/NIST.SP.800-88r1 8 | 9 | **Related Documentation:** n/a 10 | 11 | **Guidance/Tool Name:** NIST Special Publication (SP) 800-88, Revision 1, Guidelines for Media Sanitization 12 | 13 | **Relevant Core Classification:** Specific Subcategories: CT.PO-P2, CT.DM-P4, CT.DM-P5 14 | 15 | **Contributor Notes:** n/a 16 | -------------------------------------------------------------------------------- /resources/NIST Cryptographic Algorithm Validation Program Tool/contribution-form.md: -------------------------------------------------------------------------------- 1 | # Guidance & Tools Contribution Form 2 | 3 | **Contributor:** National Institute of Standards and Technology (NIST) 4 | 5 | **Contributor GitHub Username:** @kboeckl 6 | 7 | **Resource:** https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program 8 | 9 | **Related Documentation:** n/a 10 | 11 | **Guidance/Tool Name:** NIST Cryptographic Algorithm Validation Program 12 | 13 | **Relevant Core Classification:** Specific Subcategory: CT.DM-P9 14 | 15 | **Contributor Notes:** n/a 16 | -------------------------------------------------------------------------------- /resources/NIST SP 800-162 Guidance/contribution-form.md: -------------------------------------------------------------------------------- 1 | # Guidance & Tools Contribution Form 2 | 3 | **Contributor:** National Institute of Standards and Technology (NIST) 4 | 5 | **Contributor GitHub Username:** @kboeckl 6 | 7 | **Resource:** https://doi.org/10.6028/NIST.SP.800-162 8 | 9 | **Related Documentation:** n/a 10 | 11 | **Guidance/Tool Name:** NIST Special Publication 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations 12 | 13 | **Relevant Core Classification:** Specific Subcategory: PR.AC-P3 14 | 15 | **Contributor Notes:** n/a 16 | -------------------------------------------------------------------------------- /resources/NIST SP 800-114 Guidance/contribution-form.md: -------------------------------------------------------------------------------- 1 | # Guidance & Tools Contribution Form 2 | 3 | **Contributor:** National Institute of Standards and Technology (NIST) 4 | 5 | **Contributor GitHub Username:** @kboeckl 6 | 7 | **Resource:** https://doi.org/10.6028/NIST.SP.800-114r1 8 | 9 | **Related Documentation:** n/a 10 | 11 | **Guidance/Tool Name:** NIST Special Publication 800-114, Revision 1, User's Guide to Telework and Bring Your Own Device (BYOD) Security 12 | 13 | **Relevant Core Classification:** Specific Subcategory: PR.AC-P3 14 | 15 | **Contributor Notes:** n/a 16 | -------------------------------------------------------------------------------- /resources/NIST SP 800-46 Guidance/contribution-form.md: -------------------------------------------------------------------------------- 1 | # Guidance & Tools Contribution Form 2 | 3 | **Contributor:** National Institute of Standards and Technology (NIST) 4 | 5 | **Contributor GitHub Username:** @kboeckl 6 | 7 | **Resource:** https://doi.org/10.6028/NIST.SP.800-46r2 8 | 9 | **Related Documentation:** n/a 10 | 11 | **Guidance/Tool Name:** NIST SP 800-46, Revision 2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security 12 | 13 | **Relevant Core Classification:** Specific Subcategory: PR.AC-P3 14 | 15 | **Contributor Notes:** n/a 16 | -------------------------------------------------------------------------------- /resources/NIST Automated Combinatorial Testing for Software Tool/contribution-form.md: -------------------------------------------------------------------------------- 1 | # Guidance & Tools Contribution Form 2 | 3 | **Contributor:** National Institute of Standards and Technology (NIST) 4 | 5 | **Contributor GitHub Username:** @kboeckl 6 | 7 | **Resource:** https://csrc.nist.gov/Projects/automated-combinatorial-testing-for-software 8 | 9 | **Related Documentation:** n/a 10 | 11 | **Guidance/Tool Name:** NIST Automated Combinatorial Testing for Software Tool 12 | 13 | **Relevant Core Classification:** Specific Subcategory: CT.DM-P9 14 | 15 | **Contributor Notes:** n/a 16 | -------------------------------------------------------------------------------- /resources/NIST SP 800-84 Guidance/contribution-form.md: -------------------------------------------------------------------------------- 1 | # Guidance & Tools Contribution Form 2 | 3 | **Contributor:** National Institute of Standards and Technology (NIST) 4 | 5 | **Contributor GitHub Username:** @kboeckl 6 | 7 | **Resource:** https://doi.org/10.6028/NIST.SP.800-84 8 | 9 | **Related Documentation:** n/a 10 | 11 | **Guidance/Tool Name:** NIST Special Publication 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities 12 | 13 | **Relevant Core Classification:** Specific Subcategories: PR.PO-P3, PR.PO-P8 14 | 15 | **Contributor Notes:** n/a 16 | -------------------------------------------------------------------------------- /resources/NIST SP 800-34 Guidance/contribution-form.md: -------------------------------------------------------------------------------- 1 | # Guidance & Tools Contribution Form 2 | 3 | **Contributor:** National Institute of Standards and Technology (NIST) 4 | 5 | **Contributor GitHub Username:** @kboeckl 6 | 7 | **Resource:** https://doi.org/10.6028/NIST.SP.800-34r1 8 | 9 | **Related Documentation:** n/a 10 | 11 | **Guidance/Tool Name:** NIST Special Publication 800-34, Revision 1, Contingency Planning Guide for Federal Information Systems 12 | 13 | **Relevant Core Classification:** Specific Subcategories: PR.PO-P3, PR.PO-P7, PR.PO-P8 14 | 15 | **Contributor Notes:** n/a 16 | -------------------------------------------------------------------------------- /resources/NIST SP 800-30 Guidance/contribution-form.md: -------------------------------------------------------------------------------- 1 | # Guidance & Tools Contribution Form 2 | 3 | **Contributor:** National Institute of Standards and Technology (NIST) 4 | 5 | **Contributor GitHub Username:** @kboeckl 6 | 7 | **Resource:** https://doi.org/10.6028/NIST.SP.800-30r1 8 | 9 | **Related Documentation:** n/a 10 | 11 | **Guidance/Tool Name:** NIST Special Publication (SP) 800-30, Revision 1, Guide for Conducting Risk Assessments 12 | 13 | **Relevant Core Classification:** Specific Subcategories: ID.RA-P3, ID.RA-P4, ID.RA-P5, ID.DE-P2, PR.PO-P10 14 | 15 | **Contributor Notes:** n/a 16 | -------------------------------------------------------------------------------- /resources/FIPS 199 Guidance/contribution-form.md: -------------------------------------------------------------------------------- 1 | # Guidance & Tools Contribution Form 2 | 3 | **Contributor:** National Institute of Standards and Technology (NIST) 4 | 5 | **Contributor GitHub Username:** @kboeckl 6 | 7 | **Resource:** https://doi.org/10.6028/NIST.FIPS.199 8 | 9 | **Related Documentation:** n/a 10 | 11 | **Guidance/Tool Name:** Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems 12 | 13 | **Relevant Core Classification:** Specific Subcategory: PR.AC-P3 14 | 15 | **Contributor Notes:** n/a 16 | -------------------------------------------------------------------------------- /resources/NISTIR 8112 Guidance/contribution-form.md: -------------------------------------------------------------------------------- 1 | # Guidance & Tools Contribution Form 2 | 3 | **Contributor:** National Institute of Standards and Technology (NIST) 4 | 5 | **Contributor GitHub Username:** @kboeckl 6 | 7 | **Resource:** https://doi.org/10.6028/NIST.IR.8112 8 | 9 | **Related Documentation:** n/a 10 | 11 | **Guidance/Tool Name:** NIST Internal Report (NISTIR) 8112, Attribute Metadata: A Proposed Schema for Evaluating Federated Attributes 12 | 13 | **Relevant Core Classification:** Specific Subcategories: CT.DM-P6, CT.DM-P7, CT.DP-P5, CM.AW-P5, CM.AW-P6 14 | 15 | **Contributor Notes:** n/a 16 | -------------------------------------------------------------------------------- /resources/NIST SP 800-188 Guidance/contribution-form.md: -------------------------------------------------------------------------------- 1 | # Guidance & Tools Contribution Form 2 | 3 | **Contributor:** National Institute of Standards and Technology (NIST) 4 | 5 | **Contributor GitHub Username:** @kboeckl 6 | 7 | **Resource:** https://csrc.nist.gov/CSRC/media/Publications/sp/800-188/draft/documents/sp800_188_draft2.pdf 8 | 9 | **Related Documentation:** n/a 10 | 11 | **Guidance/Tool Name:** NIST Special Publication 800-188, De-Identifying Government Datasets (draft) 12 | 13 | **Relevant Core Classification:** Specific Subcategories: CT.DP-P1, CT.DP-P2, CT.DP-P3, CT.DP-P4 14 | 15 | **Contributor Notes:** n/a 16 | -------------------------------------------------------------------------------- /resources/NIST SP 800-63 Guidance/contribution-form.md: -------------------------------------------------------------------------------- 1 | # Guidance & Tools Contribution Form 2 | 3 | **Contributor:** National Institute of Standards and Technology (NIST) 4 | 5 | **Contributor GitHub Username:** @kboeckl 6 | 7 | **Resource:** https://csrc.nist.gov/publications/detail/sp/800-63/3/final 8 | 9 | **Related Documentation:** n/a 10 | 11 | **Guidance/Tool Name:** NIST Special Publication 800-63-3, Digital Identity Guidelines 12 | 13 | **Relevant Core Classification:** Specific Subcategories: CT.PO-P1, CT.PO-P3, CT.DP-P1, CT.DP-P2, CT.DP-P3, CT.DP-P4, CT.DP-P5, PR.AC-P1, PR.AC-P6 14 | 15 | **Contributor Notes:** n/a 16 | -------------------------------------------------------------------------------- /resources/NISTIR 7622 Guidance/contribution-form.md: -------------------------------------------------------------------------------- 1 | # Guidance & Tools Contribution Form 2 | 3 | **Contributor:** National Institute of Standards and Technology (NIST) 4 | 5 | **Contributor GitHub Username:** @kboeckl 6 | 7 | **Resource:** https://doi.org/10.6028/NIST.IR.7622 8 | 9 | **Related Documentation:** n/a 10 | 11 | **Guidance/Tool Name:** NIST Interagency Report (NISTIR) 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems 12 | 13 | **Relevant Core Classification:** Specific Subcategories: ID.BE-P1, ID.DE-P1, ID.DE-P2, ID.DE-P3, ID.DE-P5, GV.AT-P4 14 | 15 | **Contributor Notes:** n/a 16 | -------------------------------------------------------------------------------- /resources/NIST SP 800-175B Guidance/contribution-form.md: -------------------------------------------------------------------------------- 1 | # Guidance & Tools Contribution Form 2 | 3 | **Contributor:** National Institute of Standards and Technology (NIST) 4 | 5 | **Contributor GitHub Username:** @kboeckl 6 | 7 | **Resource:** https://doi.org/10.6028/NIST.SP.800-175Br1 8 | 9 | **Related Documentation:** n/a 10 | 11 | **Guidance/Tool Name:** NIST Special Publication 800-175B, Revision 1, Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms 12 | 13 | **Relevant Core Classification:** Specific Subcategories: PR.DS-P1, PR.DS-P2, PR.DS-P6 14 | 15 | **Contributor Notes:** n/a 16 | -------------------------------------------------------------------------------- /resources/NIST SP 800-160 Vol 1 Guidance/contribution-form.md: -------------------------------------------------------------------------------- 1 | # Guidance & Tools Contribution Form 2 | 3 | **Contributor:** National Institute of Standards and Technology (NIST) 4 | 5 | **Contributor GitHub Username:** @kboeckl 6 | 7 | **Resource:** https://doi.org/10.6028/NIST.SP.800-160v1 8 | 9 | **Related Documentation:** n/a 10 | 11 | **Guidance/Tool Name:** NIST Special Publication 800-160, Volume 1, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems 12 | 13 | **Relevant Core Classification:** Specific Subcategory: CT.PO-P4 14 | 15 | **Contributor Notes:** n/a 16 | -------------------------------------------------------------------------------- /resources/NIST SP 800-161 Guidance/contribution-form.md: -------------------------------------------------------------------------------- 1 | # Guidance & Tools Contribution Form 2 | 3 | **Contributor:** National Institute of Standards and Technology (NIST) 4 | 5 | **Contributor GitHub Username:** @kboeckl 6 | 7 | **Resource:** https://doi.org/10.6028/NIST.SP.800-161 8 | 9 | **Related Documentation:** n/a 10 | 11 | **Guidance/Tool Name:** NIST Special Publication 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations 12 | 13 | **Relevant Core Classification:** Specific Subcategories: ID.BE-P1, ID.DE-P1, ID.DE-P2, ID.DE-P3, ID.DE-P5, GV.AT-P4 14 | 15 | **Contributor Notes:** n/a 16 | -------------------------------------------------------------------------------- /resources/NIST SP 800-37 Guidance/contribution-form.md: -------------------------------------------------------------------------------- 1 | # Guidance & Tools Contribution Form 2 | 3 | **Contributor:** National Institute of Standards and Technology (NIST) 4 | 5 | **Contributor GitHub Username:** @kboeckl 6 | 7 | **Resource:** https://doi.org/10.6028/NIST.SP.800-37r2 8 | 9 | **Related Documentation:** mapping document in directory 10 | 11 | **Guidance/Tool Name:** NIST Special Publication 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy 12 | 13 | **Relevant Core Classification:** Specific Subcategories 14 | 15 | **Contributor Notes:** n/a 16 | -------------------------------------------------------------------------------- /resources/NIST SP 800-53A Guidance/contribution-form.md: -------------------------------------------------------------------------------- 1 | # Guidance & Tools Contribution Form 2 | 3 | **Contributor:** National Institute of Standards and Technology (NIST) 4 | 5 | **Contributor GitHub Username:** @kboeckl 6 | 7 | **Resource:** https://doi.org/10.6028/NIST.SP.800-53Ar4 8 | 9 | **Related Documentation:** n/a 10 | 11 | **Guidance/Tool Name:** NIST Special Publication 800-53A, Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans 12 | 13 | **Relevant Core Classification:** Specific Subcategories: GV.MT-P3, CT.DM-P9 14 | 15 | **Contributor Notes:** n/a 16 | -------------------------------------------------------------------------------- /resources/VDCPA Crosswalk/Contribution-Form.md: -------------------------------------------------------------------------------- 1 | # Crosswalk Contribution Form 2 | 3 | **Contributor:** Foram Dave, BakerHostetler 4 | 5 | **Contributor GitHub Username:** @ForamDave 6 | 7 | **Resource:** n/a 8 | 9 | **Related Documentation:** n/a 10 | 11 | **Crosswalk Name:** VCDPA Crosswalk 12 | 13 | **Source Name:** Virginia Consumer Data Protection Act (VCDPA) 14 | 15 | **Link to Source:** Link to the official text of the VCDPA: [https://lis.virginia.gov/cgi-bin/legp604.exe?211+ful+SB1392ES1](https://lis.virginia.gov/cgi-bin/legp604.exe?211+ful+SB1392ES1) 16 | 17 | **Source Type:** laws and regulations 18 | 19 | **Contributor Notes:** n/a 20 | 21 | -------------------------------------------------------------------------------- /resources/NIST SP 800-39 Guidance/contribution-form.md: -------------------------------------------------------------------------------- 1 | # Guidance & Tools Contribution Form 2 | 3 | **Contributor:** National Institute of Standards and Technology (NIST) 4 | 5 | **Contributor GitHub Username:** @kboeckl 6 | 7 | **Resource:** https://doi.org/10.6028/NIST.SP.800-39 8 | 9 | **Related Documentation:** n/a 10 | 11 | **Guidance/Tool Name:** NIST Special Publication (SP) 800-39, Managing Information Security Risk: Organization, Mission, and Information System View 12 | 13 | **Relevant Core Classification:** Specific Subcategories: ID.RA-P4, ID.RA-P5, GV.PO-P1, GV.PO-P6, GV.RM-P1, GV.RM-P2, GV.RM-P3, PR.PO-P5 14 | 15 | **Contributor Notes:** n/a 16 | -------------------------------------------------------------------------------- /resources/NISTIR 8011 Guidance/contribution-form.md: -------------------------------------------------------------------------------- 1 | # Guidance & Tools Contribution Form 2 | 3 | **Contributor:** National Institute of Standards and Technology (NIST) 4 | 5 | **Contributor GitHub Username:** @kboeckl 6 | 7 | **Resource:** https://doi.org/10.6028/NIST.IR.8011-1, https://doi.org/10.6028/NIST.IR.8011-2, https://doi.org/10.6028/NIST.IR.8011-3, https://doi.org/10.6028/NIST.IR.8011-4 8 | 9 | **Related Documentation:** n/a 10 | 11 | **Guidance/Tool Name:** NISTIR 8011, Automation Support for Security Control Assessments (Vols 1, 2, 3, and 4) 12 | 13 | **Relevant Core Classification:** Specific Subcategory: CT.DM-P9 14 | 15 | **Contributor Notes:** n/a 16 | -------------------------------------------------------------------------------- /resources/FIPPs Crosswalk/Contribution-Form.md: -------------------------------------------------------------------------------- 1 | # Crosswalk Contribution Form 2 | 3 | **Contributor:** Dr. Sarah L. Cortes, Northeastern University 4 | 5 | **Contributor GitHub Username:** @SarahCortes 6 | 7 | **Resource:** N/A 8 | 9 | **Related Documentation:** N/A 10 | 11 | **Crosswalk Name:** NIST Privacy Framework 1.0-FIPPs Crosswalk 12 | 13 | **Source Name:** Fair Information Practice Principles (FIPPs) 14 | 15 | **Link to Source:** https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf 16 | 17 | **Source Type:** framework 18 | 19 | **Contributor Notes:** FIPPs are high-level and older. This uses the 2016 White House OMB version of the FIPPs. 20 | -------------------------------------------------------------------------------- /resources/CCPA-CPRA Crosswalk/Contribution-Form.md: -------------------------------------------------------------------------------- 1 | # Crosswalk Contribution Form 2 | 3 | 4 | **Contributor:** Jerel Pacis Agatep, BakerHostetler 5 | 6 | **Contributor GitHub Username:** @jerelagatep 7 | 8 | **Resource:** n/a 9 | 10 | **Related Documentation:** For the latest on the CCPA and CPRA, see the California Office of the Attorney General CCPA Homepage: https://oag.ca.gov/privacy/ccpa 11 | 12 | **Crosswalk Name:** CCPA/CPRA Crosswalk 13 | 14 | **Source Name:** California Privacy Rights Act (CPRA) 15 | 16 | **Link to Source:** https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5 17 | 18 | **Source Type:** laws and regulations 19 | 20 | **Contributor Notes:** n/a 21 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | 1. Fork a copy of USNISTGOV/PrivacyFrmwkResources to your own organizational or personal space.  2 | 2. Create a branch in your fork, named specifically for your contribution.  3 | 3. In your branch: 4 | 5 | A. Create a new directory within the Resources directory (i.e., Resources/[your-contribution-name]). 6 | 7 | B. Name the directory to describe your contribution. 8 | 9 | C. Include in your directory the following: 10 | 11 | * contribution form 12 | * resource – Include “resource” in file name to differentiate from any additional related documentation. 13 | * additional related documentation (optional) 14 | 15 | 4. Create a pull request from your branch to the master branch in USNISTGOV/PrivacyFrmwkResources. 16 | -------------------------------------------------------------------------------- /resources/NIST PRAM Tool/contribution-form.md: -------------------------------------------------------------------------------- 1 | # Guidance & Tools Contribution Form 2 | 3 | **Contributor:** National Institute of Standards and Technology (NIST) 4 | 5 | **Contributor GitHub Username:** @kboeckl 6 | 7 | **Resource:** https://www.nist.gov/itl/applied-cybersecurity/privacy-engineering/resources 8 | 9 | **Related Documentation:** See mapping document in directory 10 | 11 | **Guidance/Tool Name:** NIST Privacy Risk Assessment Methodology (PRAM) Version February 2019 12 | 13 | **Relevant Core Classification:** Specific Subcategories: ID.IM-P1, ID.IM-P2, ID.IM-P3, ID.IM-P4, ID.IM-P6, ID.IM-P7, ID.IM-P8, ID.BE-P2, ID.BE-P3, ID.RA-P1, ID.RA-P4, ID.RA-P5, GV.PO-P1, GV.PO-P2, GV.PO-P5, GV.PO-P6 14 | 15 | **Contributor Notes:** n/a 16 | -------------------------------------------------------------------------------- /resources/Data Minimization for AI Tool/contribution-form.md: -------------------------------------------------------------------------------- 1 | # Guidance & Tools Contribution Form 2 | 3 | **Contributor:** IBM 4 | 5 | **Contributor GitHub Username:** @abigailgold 6 | 7 | **Resource:** https://github.com/IBM/ai-minimization-toolkit 8 | 9 | **Related Documentation:** https://ai-minimization-toolkit.readthedocs.io/en/master/ 10 | 11 | **Guidance/Tool Name:** ai-minimization-toolkit 12 | 13 | **Associated Core Classification:** Protective Technology (PR.PT-P), Disassociated Processing (CT.DP-P) 14 | 15 | **Contributor Notes:** This tool is aimed at helping machine learning model developers to adhere to the data minimization principle by determining the minimal level of detail required for newly collected data to make accurate predictions with the model. 16 | -------------------------------------------------------------------------------- /resources/NISTIR 8062 Guidance/contribution-form.md: -------------------------------------------------------------------------------- 1 | # Guidance & Tools Contribution Form 2 | 3 | **Contributor:** National Institute of Standards and Technology (NIST) 4 | 5 | **Contributor GitHub Username:** @kboeckl 6 | 7 | **Resource:** https://csrc.nist.gov/publications/detail/nistir/8062/final 8 | 9 | **Related Documentation:** See mapping document in directory 10 | 11 | **Guidance/Tool Name:** NIST Internal Report 8062, An Introduction to Privacy Engineering and Risk Management in Federal Systems 12 | 13 | **Relevant Core Classification:** Specific Subcategories: ID.IM-P1, ID.IM-P2, ID.IM-P3, ID.IM-P4, ID.IM-P6, ID.IM-P7, ID.IM-P8, ID.BE-P2, ID.BE-P3, ID.RA-P1, ID.RA-P3, ID.RA-P4, ID.RA-P5, GV.PO-P1, GV.PO-P2, GV.PO-P5, GV.PO-P6, GV.MT-P1, CT.DP-P5, CM.AW-P2 14 | 15 | **Contributor Notes:** n/a 16 | -------------------------------------------------------------------------------- /resources/Reference Architecture for Privacy Stack - Access Control /guideline-tool-form.md: -------------------------------------------------------------------------------- 1 | **Contributor:** Nandita Rao Narla, Ethical Tech Project 2 | 3 | **Contributor GitHub Username:** @nandita-rao 4 | 5 | **Resource:** https://github.com/ethical-tech-project/the-privacy-stack#access-control-authorization-integration 6 | 7 | **Related Documentation:** https://theprivacystack.org/ 8 | 9 | **Guideline/Tool Name:** Reference Architecture for Privacy Stack 10 | 11 | **Associated Core Classification:** PR.AC-P4 12 | 13 | **Contributor Notes:** The reference architecture for privacy stack is designed to guide technologists as they design, build and maintain systems that respect privacy and process data ethically. Interested in giving feedback, supporting, or joining the cause? Email Us: *contact@theprivacystack.org* 14 | -------------------------------------------------------------------------------- /resources/Cybersecurity Framework Crosswalk/contribution-form.md: -------------------------------------------------------------------------------- 1 | 2 | # Crosswalk Contribution Form 3 | 4 | **Contributor:** National Institute of Standards and Technology (NIST) 5 | 6 | **Contributor GitHub Username:** @kboeckl 7 | 8 | **Resource:** https://github.com/usnistgov/PrivacyFrmwkResources/raw/master/resources/Cybersecurity%20Framework%20Crosswalk/Crosswalk%20Resource-%20Cybersecurity%20Framework%20to%20NIST%20Privacy%20Framework.xlsx 9 | 10 | **Related Documentation:** n/a 11 | 12 | **Crosswalk Name:** Cybersecurity Framework Crosswalk 13 | 14 | **Source Name:** Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (Cybersecurity Framework) 15 | 16 | **Link to Source:** https://doi.org/10.6028/NIST.CSWP.04162018 17 | 18 | **Source Type:** framework 19 | 20 | **Contributor Notes:** n/a 21 | -------------------------------------------------------------------------------- /resources/LINDDUN/contribution-form.md: -------------------------------------------------------------------------------- 1 | # Guidance & Tools Contribution Form 2 | 3 | 4 | **Contributor:** imec-DistriNet, KU Leuven 5 | 6 | **Contributor GitHub Username:** @kimwuyts 7 | 8 | **Resource:** https://www.linddun.org/downloads, https://www.linddun.org/go 9 | 10 | **Related Documentation:** Additional information on both LINDDUN and LINDDUN GO are available on the LINDDUN website. 11 | 12 | **Guidance/Tool Name:** LINDDUN privacy threat modeling framework 13 | 14 | **Associated Core Classification:** Subcategories: ID.RA-P3, ID.RA-P4, ID.RA-P5 15 | 16 | **Contributor Notes:** The LINDDUN threat modeling framework provides support to systematically elicit and mitigate privacy threats in software architectures. The more light-weight LINDDUN GO toolkit primarily focuses on the identification of privacy threats (ID.RA-P3). 17 | -------------------------------------------------------------------------------- /resources/Reference Architecture for Privacy Stack - Data Fortification Tools/guideline-tool-form.md: -------------------------------------------------------------------------------- 1 | **Contributor:** Nandita Rao Narla, Ethical Tech Project 2 | 3 | **Contributor GitHub Username:** @nandita-rao 4 | 5 | **Resource:** https://github.com/ethical-tech-project/the-privacy-stack#data-fortification-tools 6 | 7 | **Related Documentation:** https://theprivacystack.org/ 8 | 9 | **Guideline/Tool Name:** Reference Architecture for Privacy Stack 10 | 11 | **Associated Core Classification:** CT.DP-P1, CT.DP-P2, CT.DP-P3, CT.DP-P4, CT.DP-P5 12 | 13 | **Contributor Notes:** The reference architecture for privacy stack is designed to guide technologists as they design, build and maintain systems that respect privacy and process data ethically. Interested in giving feedback, supporting, or joining the cause? Email Us: *contact@theprivacystack.org* -------------------------------------------------------------------------------- /resources/NIST SP 800-53 Crosswalk/contribution-form: -------------------------------------------------------------------------------- 1 | # Crosswalk Contribution Form 2 | 3 | **Contributor:** National Institute of Standards and Technology (NIST) 4 | 5 | **Contributor GitHub Username:** @kboeckl 6 | 7 | **Related Documentation:** (Crosswalk Excel)[https://github.com/usnistgov/PrivacyFrmwkResources/raw/master/resources/NIST%20SP%20800-53%20Crosswalk/csf-pf-to-sp800-53r5-mappings.xlsx] 8 | 9 | **Crosswalk Name:** NIST Privacy Framework and Cybersecurity Framework to NIST Special Publication 800-53, Revision 5 Crosswalk 10 | 11 | **Source Name:** NIST Special Publication 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations 12 | 13 | **Source Link:** https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf 14 | 15 | **Source Type:** framework 16 | 17 | **Contributor Notes:** n/a 18 | -------------------------------------------------------------------------------- /resources/ISO 27701 Crosswalk Microsoft/Contribution form.md: -------------------------------------------------------------------------------- 1 | **Contributor:** Microsoft 2 | 3 | **Contributor GitHub Username:** @laurali-official 4 | 5 | **Resource:** https://github.com/usnistgov/PrivacyFrmwkResources/blob/master/resources/ISO%2027701%20Crosswalk%20Microsoft/NIST-Privacy-Framework-Version1-Crosswalk-ISO-IEC%2027701_Microsoft.xlsx 6 | 7 | **Related Documentation:** https://dataprotectionmapping.z21.web.core.windows.net/#/dashboard 8 | 9 | **Crosswalk Name:** ISO/IEC 27701 Crosswalk 10 | 11 | **Source Name:** ISO/IEC 27701 12 | 13 | **Link to Source:** https://webstore.ansi.org/Standards/ISO/ISOIEC277012019 14 | 15 | **Source Type:** standard 16 | 17 | **Contributor Notes:** This cross-walk is mapped to the clauses in ISO/IEC 27701:2019 18 | Additional mappings to and from ISO/IEC 27701 can be found at https://dataprotectionmapping.z21.web.core.windows.net/#/dashboard 19 | -------------------------------------------------------------------------------- /resources/Reference Architecture for Privacy Stack - Data Discovery/guideline-tool-form.md: -------------------------------------------------------------------------------- 1 | **Contributor:** Nandita Rao Narla, Ethical Tech Project 2 | 3 | **Contributor GitHub Username:** @nandita-rao 4 | 5 | **Resource:** https://github.com/ethical-tech-project/the-privacy-stack/blob/main/reference-architecture/reference-architecture.md#data-discovery--classification 6 | 7 | **Related Documentation:** https://theprivacystack.org/ 8 | 9 | **Guideline/Tool Name:** Reference Architecture for Privacy Stack 10 | 11 | **Associated Core Classification:** ID.IM-P6: Data elements within the data actions are inventoried. 12 | 13 | **Contributor Notes:** The reference architecture for privacy stack is designed to guide technologists as they design, build and maintain systems that respect privacy and process data ethically. Interested in giving feedback, supporting, or joining the cause? Email Us: *contact@theprivacystack.org* 14 | -------------------------------------------------------------------------------- /resources/Reference Architecture for Privacy Stack - Data Authoring Policies/guideline-tool-form.md: -------------------------------------------------------------------------------- 1 | **Contributor:** Nandita Rao Narla, Ethical Tech Project 2 | 3 | **Contributor GitHub Username:** @nandita-rao 4 | 5 | **Resource:** https://github.com/ethical-tech-project/the-privacy-stack#data-policies-authoring-service 6 | 7 | **Related Documentation:** https://theprivacystack.org/ 8 | 9 | **Guideline/Tool Name:** Reference Architecture for Privacy Stack 10 | 11 | **Associated Core Classification:** GV.PO-P1: Organizational privacy values and policies (e.g., conditions on data processing such as data uses or retention periods, individuals’ prerogatives with respect to data processing) are established and communicated. 12 | 13 | **Contributor Notes:** The reference architecture for privacy stack is designed to guide technologists as they design, build and maintain systems that respect privacy and process data ethically. Interested in giving feedback, supporting, or joining the cause? Email Us: *contact@theprivacystack.org* 14 | -------------------------------------------------------------------------------- /resources/Reference Architecture for Privacy Stack - Permission Management/contribution-form.md: -------------------------------------------------------------------------------- 1 | **Contributor:** Nandita Rao Narla, Ethical Tech Project 2 | 3 | **Contributor GitHub Username:** @nandita-rao 4 | 5 | **Resource:** 6 | - Simple Application 7 | https://github.com/ethical-tech-project/the-privacy-stack#permission-management 8 | - Advanced Application 9 | https://github.com/ethical-tech-project/the-privacy-stack#permission-propagation-to-processors 10 | - Processor Application 11 | https://github.com/ethical-tech-project/the-privacy-stack#permission-management-1 12 | 13 | **Related Documentation:** https://theprivacystack.org/ 14 | 15 | **Guideline/Tool Name:** Reference Architecture for Privacy Stack 16 | 17 | **Associated Core Classification:** CT.DM-P7: Mechanisms for transmitting processing permissions and related data values with data elements are established and in place. 18 | 19 | **Contributor Notes:** The reference architecture for privacy stack is designed to guide technologists as they design, build and maintain systems that respect privacy and process data ethically. Interested in giving feedback, supporting, or joining the cause? Email Us: *contact@theprivacystack.org* 20 | -------------------------------------------------------------------------------- /resources/z Archive/NIST SP 800-53 Guidance/contribution-form.md: -------------------------------------------------------------------------------- 1 | **With the release of NIST Special Publication 800-53, Revision 5, this resource has been archived. The latest version of this resource is the (NIST Privacy Framework and Cybersecurity Framework to NIST Special Publication 800-53, Revision 5 Crosswalk)[https://w3auth.nist.gov/privacy-framework/nist-privacy-framework-and-cybersecurity-framework-nist-special-publication-800-53].** 2 | 3 | # Guidance & Tools Contribution Form 4 | 5 | **Contributor:** National Institute of Standards and Technology (NIST) 6 | 7 | **Contributor GitHub Username:** @kboeckl 8 | 9 | **Resource:** https://csrc.nist.gov/csrc/media/publications/sp/800-53/rev-5/draft/documents/sp800-53r5-draft.pdf 10 | 11 | **Related Documentation:** [Mapping Document (XLSX)](https://github.com/usnistgov/PrivacyFrmwkResources/raw/master/resources/NIST%20SP%20800-53%20Guidance/Guidance%20Resource%20-%20NIST%20SP%2080053_IPD_mapping.xlsx) 12 | 13 | **Guidance/Tool Name:** NIST Special Publication 800-53, Revision 5, Initial Public Draft, Security and Privacy Controls for Information Systems and Organizations 14 | 15 | **Relevant Core Classification:** Complete Core 16 | 17 | **Contributor Notes:** This resource has been archived. 18 | -------------------------------------------------------------------------------- /contribution-forms/crosswalk-form.md: -------------------------------------------------------------------------------- 1 | 2 | # Crosswalk Contribution Form 3 | *Remove all italicized text in this form, provided for instructional purposes, before submitting your pull request.* 4 | 5 | **Contributor:** *Name of contributor. Use organization name if representing an organization.* 6 | 7 | **Contributor GitHub Username:** @[username] *Include the GitHub username for the point of contact(s) responsible for this resource. This user will be responsible for keeping this resource up-to-date and for responding to feedback from the community.* 8 | 9 | **Resource:** *If you are hosting your resource, then provide link(s) to your resource. Otherwise, include your resource in your GitHub directory.* 10 | 11 | **Related Documentation:** *This section is optional. If you are hosting related documentation, then provide link(s). Otherwise, include the related documentation in your GitHub directory.* 12 | 13 | **Crosswalk Name:** *name of the crosswalk you’re contributing* 14 | 15 | **Source Name:** *title of the source (e.g., law, regulation, standard, framework) that you have mapped to the Privacy Framework* 16 | 17 | **Link to Source:** *link to this source* 18 | 19 | **Source Type:** *Select one:* 20 | * *laws and regulations,* 21 | * *standard, or* 22 | * *framework.* 23 | 24 | **Contributor Notes:** *This section is optional. You may use it to share notes for the community to consider while reviewing your resource.* 25 | -------------------------------------------------------------------------------- /resources/CCPA Regulations Crosswalk/crosswalk-form.md: -------------------------------------------------------------------------------- 1 | # Crosswalk Contribution Form 2 | 3 | **Contributor:** Craig Erickson 4 | 5 | **Contributor GitHub Username:** @craigericksondpo 6 | 7 | **Resource:** 8 | 9 | **Related Documentation:** 10 | 11 | **Crosswalk Name:** CCPA-Regs-to-SP800-53r5-to-pf-mappings.xlsx 12 | 13 | **Source Name:** California Consumer Privacy Act (CCPA) 14 | 15 | **Link to Source:** 16 | 17 | **Source Type:** \* laws and regulations, \* SP 800 53r5 18 | 19 | **Contributor Notes:** Implementation, tests, case studies, and program management tools utilizing this crosswalk are not included in the NIST repository. For example, I built "Everyone's Guide to the CCPA" as a multipurpose tool which relies on this crosswalk. One use case is managing consumer complaints about businesses who violate the CCPA. Another use case is defending a business from unsubstantiated complaints, or building a privacy program that gathers evidence of compliance using NIST control standards. These implementation artifacts can and should be maintained independently by their creators or owners. If a user wants to help improve this crosswalk, issues, pull requests, comments, tests, etc. can be made in my personal staging repository hosted at . 20 | -------------------------------------------------------------------------------- /contribution-forms/Profile-form.md: -------------------------------------------------------------------------------- 1 | # Profile Contribution Form 2 | *Remove all italicized text in this form, provided for instructional purposes, before submitting your pull request.* 3 | 4 | **Contributor:** *Name of contributor. Use organization name if representing an organization.* 5 | 6 | **Contributor GitHub Username:** @[username] *Include the GitHub username for the point of contact(s) responsible for this resource. This user will be responsible for keeping this resource up-to-date and for responding to feedback from the community.* 7 | 8 | **Resource:** *If you are hosting your resource, then provide link(s) to your resource. Otherwise, include your resource in your GitHub directory.* 9 | 10 | **Related Documentation:** *This section is optional. If you are hosting related documentation, then provide link(s). Otherwise, include the related documentation in your GitHub directory.* 11 | 12 | **Profile Name:** *name of the Profile you’re contributing* 13 | 14 | **Profile Type:** *Provide an industry sector, domain (e.g., IoT), and/or data processing ecosystem role (e.g., data controller) for which this Profile is intended. You may provide any combination of the three. If industry sector, please select from the below list.* 15 | 16 | * *Consumer Technology* 17 | * *Education* 18 | * *Energy* 19 | * *Financial* 20 | * *Government* 21 | * *Healthcare* 22 | * *Identity* 23 | * *Information Technology* 24 | * *Manufacturing* 25 | * *Retail* 26 | * *Telecommunications* 27 | * *Transportation* 28 | * *Other – Please provide your own.* 29 | 30 | **Contributor Notes:** *This section is optional. You may use it to share notes for the community to consider while reviewing your resource.* 31 | -------------------------------------------------------------------------------- /resources/AICPA TSC Crosswalk/contribution-form.md: -------------------------------------------------------------------------------- 1 | 2 | # Crosswalk Contribution Form 3 | 4 | **Contributor:** Nandita Rao Narla 5 | 6 | **Contributor GitHub Username:** @nandita-rao 7 | 8 | **Resource:** n/a 9 | 10 | **Related Documentation:** [2017 Trust Services Criteria mapped to ISO 27001, NIST CSF, COBIT5, NIST 800-53 and GDPR](https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/mappingsrelevanttothesocsuiteofservices) 11 | 12 | **Crosswalk Name:** NIST Privacy Framework - AICPA Trust Services Criteria Crosswalk 13 | 14 | **Source Name:** 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (With Revised Points of Focus – 2022) 15 | 16 | **Link to Source:** https://us.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/trust-services-criteria.pdf 17 | 18 | **Source Type:** framework 19 | 20 | **Contributor Notes:** The purpose of mapping the NIST Privacy Framework to the 2017 Trust Services Criteria (inclusive of October 2022 updates) is to support SOC compliance efforts for organizations aligned with the NIST Privacy Framework. 21 | 22 | This mapping may be leveraged by privacy and GRC teams to perform a SOC readiness assessment and by service auditors to evaluate whether the NIST Privacy Framework may be considered suitable criteria in an attestation examination. 23 | 24 | Sincere thanks to Dylan Gilbert, Privacy Policy Advisor at NIST, R. Jason Cronk, Founder of Institute of Operational Privacy Design, and Anza Abbas, Associate at Enterprivacy Consulting Group for their feedback. 25 | 26 | *Disclaimer: This work product was developed in my personal capacity and does not guarantee accuracy or completeness. You should leverage it as a starting point for your own analysis.* 27 | -------------------------------------------------------------------------------- /resources/GDPR-Regulation 2016 679/crosswalk.md: -------------------------------------------------------------------------------- 1 |

Crosswalk with the General Data Protection Regulation of the European Union (EU 2016/679)

2 | 3 | Contributor: Enterprivacy Consulting Group (R. Jason Cronk) 4 | 5 | Contributor GitHub Username: @privacymaverick 6 | 7 | Crosswalk Name: GDPR-Regulation 2016/679 Crosswalk 8 | 9 | Source Name: Regulation (EU) 2016/679 (General Data Protection Regulation) 10 | 11 | Link to Source: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679 12 | 13 | Source Type: Law and Regulation 14 | 15 | Contributor Notes: 16 | 17 | To make it easier for readers, rather than a single column, I've split the GDPR by Chapters and Sections. 18 | 19 | Methodology 20 | I want to thank Microsoft as I first used their mapping of GDPR to ISO 27701 through their Data Protection Mapping Project. 21 | I then further utilized their mapping from ISO 27701 to the NIST Privacy Framework (initially provided in their public comments on the draft version of the framework). From there I manually reviewed each link between a subcategory in the NIST Privacy Framework and corresponding item in the GDPR. Because there are items in the NIST Privacy Framework and GDPR that are not part of the ISO 27701 standard, I found numerous missed connections. I found some where the final NIST<->GDPR connection didn't make sense, even though the intermediary NIST->ISO and ISO->GDPR connections were appropriate. Next I solicited feedback from professional associates (many thanks to those who contributed their thoughts). 22 | 23 | Disclaimer 24 | While every effort has been made to be complete and provide as much detail as necessary, no guarantee or warranty is provided on the accuracy or completeness of this mapping. You should use it as a starting point for your own analysis. 25 | 26 | -------------------------------------------------------------------------------- /resources/LGPD Crosswalk/contribution-form.md: -------------------------------------------------------------------------------- 1 | ## Crosswalk Contribution Form 2 | 3 | **Contributor:** Paulo Vidigal and Luis Fernando Prado Chaves. Prado Vidigal Advogados. 4 | 5 | **Contributor GitHub Username:** @paulo-vidigal 6 | 7 | **Resource:** Resource has been included in my GitHub directory. 8 | 9 | **Crosswalk Name:** LGPD Crosswalk by Prado Vidigal Advogados 10 | 11 | **Source Name:** Brazilian Data Protection Law (Lei Geral de Proteção de Dados – LGPD) 12 | 13 | **Link to Source:** [http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/L13709.htm](http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/L13709.htm) 14 | 15 | **Source Type:** laws and regulation 16 | 17 | **Contributor Notes:** At first, we want to highly thank Enterprivacy Consulting Group, as we based our Crosswalk on their mapping from the GDPR to the NIST Privacy Framework. Since Brazilian Law has been inspired by the GDPR, Enterprivacy’s previous work made our job much easier. We were able to adapt Enterprivacy’s work shifting from the GDPR’s items to the LGPD’s ones, preserving their methodology (as we split the LGPD by Chapters and Sections just like they did). 18 | LGPD went into effect on September 18, 2020. LGPD has been undeniably inspired by the GDPR. People usually say that if you have achieved GDPR compliance you are automatically compliant with LGPD. However, there are some key differences between LGPD and GDPR. Therefore, we hope this Crosswalk can provide some clarity to private sector organizations that need to comply with both legislations. 19 | 20 | Disclaimers: 21 | - This map does not contemplate Chapters of the law regarding public entities' activities and the National Authority’s functioning. 22 | - While every effort has been made to be complete and provide as much detail as necessary, no guarantee or warranty is provided on the accuracy or completeness of this mapping. You should use it as a starting point for your own analysis. 23 | -------------------------------------------------------------------------------- /resources/PII Inventory Dashboard/contribution-form.md: -------------------------------------------------------------------------------- 1 | # Guidance & Tools Contribution Form 2 | 3 | **Contributor:** 18F 4 | 5 | **Contributor GitHub Username:** @ondrae, @peterrowland, @igorkorenfeld, @nikzei 6 | 7 | **Resource:** 8 | 9 | - Searchable PII Inventory (built for GSA but adaptable for other agencies): https://cg-9341b8ea-025c-4fe2-aa6c-850edbebc499.app.cloud.gov/site/18f/privacy-dashboard/ 10 | - Project Repository: https://github.com/18F/privacy-dashboard 11 | 12 | **Related Documentation:** 13 | 14 | - Presentation at the Federal Privacy Council's AIC meeting on 3/24/20: [slides](https://drive.google.com/open?id=1EalCHFh-6u6PpMQdnmV6NBAv-OG5mP0m), [video](https://drive.google.com/open?id=1RdzCIsHUNvU79cqnbgA3rNV9-nt_L_QC) 15 | 16 | **Guidance/Tool Name:** PII Inventory Dashboard 17 | 18 | **Associated Core Classification:** ID.IM-P1 and ID.IM-P6 19 | 20 | **Contributor Notes:** 21 | 22 | Privacy offices are burdened with managing compliance paperwork, which reduces their bandwidth for proactive efforts to protect the public’s privacy. This searchable PII inventory was created by a team at 18F to give privacy offices some time back. Here are some activities that this inventory would speed up: 23 | 24 | - finding information about PII from PIAs and SORNs 25 | - understanding the landscape of PII that you manage 26 | - producing an inventory as per OMB Circular A-130 requirements 27 | - improving PII collection practices by system owners 28 | - minimize PII collection to only that which is legally authorized/mission-essential 29 | 30 | Our tool processes GSA’s collection of PIA and SORN documents (PDF and XML) and creates an organized and searchable list of systems and the PII they collect. 31 | 32 | This PII inventory is a collaboration between 18F and GSA’s Privacy Office. It received funding by GSA’s 10x program. 33 | 34 | If you are interested in using our tool to create a PII inventory for your agency please reach out to us at privacy_devops@gsa.gov or on Github. We are happy to advise you on how to fork the repository if your team needs help. If you don’t have in-house capacity, 18F is a digital consultancy and we’re also available to work with you implement a PII inventory for your agency. 35 | -------------------------------------------------------------------------------- /resources/IAPP CIPM Crosswalk/contribution-form.md: -------------------------------------------------------------------------------- 1 | 2 | # Crosswalk Contribution Form 3 | 4 | **Contributor:** International Association of Privacy Professionals 5 | 6 | **Contributor GitHub Username:** @tgrotheeriapp 7 | 8 | **Resource:** https://github.com/usnistgov/PrivacyFrmwkResources/raw/master/resources/IAPP%20CIPM%20Crosswalk/NIST-Privacy-Framework-V1.0-Crosswalk-IAPP-CIPM_resource.xlsx 9 | 10 | **Related Documentation:** [The Skill Set Needed to Implement a Privacy Risk Management Framework](https://iapp.org/media/pdf/resource_center/white_paper_implement_privacy_risk_management_framework.pdf) 11 | 12 | **Crosswalk Name:** NIST Privacy Framework Version 1.0 to IAPP CIPM Crosswalk 13 | 14 | **Source Name:** IAPP Certified Information Privacy Manager (CIPM) Body of Knowledge 15 | 16 | **Link to Source:** https://iapp.org/certify/get-certified/cipm/ 17 | 18 | **Source Type:** framework 19 | 20 | **Contributor Notes:** To offer insight into the professional skillset needed to implement the NIST Privacy Framework, the International Association of Privacy Professionals’ Westin Research Center mapped the Privacy Framework’s Core to the Body of Knowledge for a Certified Information Privacy Manager. This body of knowledge was created by the IAPP’s certification advisory board to reflect the skillset and knowledge required by a privacy professional working in the field. It is annually updated, as required by IAPP’s ANSI accreditation, through a formal process to determine what professionals in the field are currently doing, under what conditions, and with what levels of knowledge and skill. The IAPP’s CIPM certification is then updated to align with this body of knowledge. 21 | 22 | As a privacy risk management framework, NIST’s Privacy Framework aligns closely with the CIPM body of knowledge. However, it should be noted that as a framework designed to bring together stakeholders across disciplines, additional skills are needed to go deeper into certain aspects of the Privacy Framework. For instance, lawyers implementing the governance policies, processes, and procedures category will require greater familiarity with the legal regimes in the jurisdictions in which their organizations operate, skillsets more closely aligned with IAPP’s regionally based CIPP bodies of knowledge. Similarly, privacy engineers assessing options for de-identification techniques under the disassociated processing category will need more technical knowledge, such as that reflected in IAPP’s CIPT body of knowledge. The NIST Framework and the CIPM body of knowledge can serve as the bridge between these stakeholders. 23 | 24 | The IAPP’s Westin Research Center developed the following table to document how NIST’s Privacy Framework, and more generally a risk management framework designed to bring together security and privacy professionals, aligns with IAPP’s CIPM certification. This mapping serves the dual purpose of informing privacy professionals seeking to understand the skillset needed to implement the NIST Privacy Framework and IAPP’s ongoing work to ensure its certifications are continually refined to meet the needs of the privacy profession across sectors and disciplines. 25 | -------------------------------------------------------------------------------- /resources/CCPA Crosswalk/contribution-form.md: -------------------------------------------------------------------------------- 1 | # Crosswalk Contribution Form 2 | 3 | **Contributor:** Jeewon Serrato, BakerHostetler 4 | 5 | **Contributor GitHub Username:** @jeewonserrato 6 | 7 | **Resource:** n/a 8 | 9 | **Related Documentation:** For the latest on the CCPA and CCPA rulemaking activities, see the California Office of the Attorney General CCPA Homepage: [https://oag.ca.gov/privacy/ccpa](https://oag.ca.gov/privacy/ccpa) 10 | 11 | **Crosswalk Name:** California Consumer Privacy Act (CCPA) Crosswalk 12 | 13 | **Source Name:** California Consumer Privacy Act of 2018 14 | 15 | **Link to Source:** Link to the official text of the CCPA: [https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&chapter=&article=](https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&chapter=&article=) 16 | 17 | **Source Type:** laws and regulations 18 | 19 | **Contributor Notes:** CCPA went into effect on January 1, 2020 and enforcement began on July 1, 2020. The California Office of the Attorney General is continuing its rulemaking and the California legislature is also continuing to enact amendments to the law. The CCPA was also amended in a significant way through a citizens ballot initiative (California Privacy Rights Act or CPRA). This CCPA Crosswalk maps the NIST Privacy Framework to the CCPA but adds notes to alert the readers to changes that were included in the CPRA, which for the most part become enforceable in 2023. Readers will also notice that many of the Privacy Framework’s subcategories that are risk-based do not map neatly to the CCPA. The CCPA includes a number of thresholds in terms of scope and applicability; however, once the threshold is met, CCPA obligations are largely not risk-based and should be understood as legal requirements. I have noted sections within the CCPA that would help the readers map certain risk-based subcategories to the CCPA. To the extent the CCPA is continuing to be amended, rulemaking is revised and the CPRA rulemaking will begin in 2021, I welcome comments and edits to this crosswalk. I am currently serving as Chair of the Privacy Law Section of the California Lawyers Association (CLA) and invite privacy practitioners interested in monitoring legislative and rulemaking activities in California to join the state bar association. This crosswalk will be updated with the assistance of CLA Privacy Law Section members. CLA Privacy Law Section Webpage: [https://calawyers.org/section/privacy-law/](https://calawyers.org/section/privacy-law). 20 | 21 | *Disclaimer* While every effort has been made to be complete and provide as much detail as necessary, no guarantee or warranty is provided on the accuracy or completeness of this mapping. You should use it as a starting point for your own analysis. The information provided on this crosswalk does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this crosswalk are for general informational purposes only. Information on this crosswalk may not constitute the most up-to-date legal or other information. Any links to third-party websites or sources are provided only for the convenience of the reader. Readers should contact their attorney to obtain advice with respect to any particular legal matter. Use of, and access to, this crosswalk or any of the links or resources contained within this crosswalk do not create an attorney-client relationship between the reader and contributor, contributing law firms, or other affiliated members or employees and respective employers. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # NIST Privacy Framework Resource Repository 2 | This repository contains resources to support organizations’ use of the Privacy Framework. Resources include crosswalks, common Profiles, guidelines, and tools. NIST encourages new contributions and feedback on these resources as part of the ongoing collaborative effort to improve implementation of the Privacy Framework. 3 | 4 | ## Browse 5 | Visit the [Browse page](https://www.nist.gov/privacy-framework/resource-repository/browse) to find and use resources to help with framework implementation. 6 | 7 | ## Contribute 8 | Visit the [Contribute page](https://w3auth.nist.gov/privacy-framework/resource-repository/contribute-resources) to learn how to prepare and contribute your resource for potential inclusion in the repository. 9 | 10 | ## Engage 11 | Share feedback and ask questions about resources in the repository using the [Issues feature](https://github.com/usnistgov/PrivacyFrmwkResources/issues/new). 12 | 13 | ## Operating Rules 14 | These operating rules describe and govern NIST’s management of this repository and contributors’ responsibilities. NIST reserves the right to modify this policy at any time. 15 | 16 | ### Criteria for Contributions and Feedback 17 | This is a moderated platform. NIST will only accept contributions that are publicly available. Contributors may submit links or materials for hosting in the repository. Upon submission, materials will be made public and considered publicly available information. 18 | 19 | NIST reserves the right to reject, remove, or edit any contribution or feedback, including anything that:  20 | * states or implies NIST endorsement of any entities, services, or products;   21 | * is inaccurate;   22 | * contains abusive or vulgar content, spam, hate speech, personal attacks, or similar content;   23 | * is clearly "off topic";  24 | * makes unsupported accusations; 25 | * includes personally identifiable or business identifiable information according to Department of Commerce Office of Privacy and Open Government [guidelines](http://www.osec.doc.gov/opog/privacy/PII_BII.html); or,  26 | •contains .exe or .jar file types.*  27 | 28 | *These file types will not be hosted in the NIST repository; instead, NIST may link to these if hosted elsewhere. 29 | 30 | ### Contributor Responsibilities 31 | NIST also reserves the right to reject or remove contributions from the repository if the contributor fails to carry out any of the following responsibilities: 32 | * following the contribution instructions; 33 | * responding to feedback from other repository users in a timely manner; 34 | * responding to NIST representatives in a timely manner; 35 | * keeping contributions and contributor GitHub username up to date; and 36 | * annual verification of the accuracy and relevancy of the contribution. 37 | * NIST will create a GitHub issue and tag the contributor’s GitHub username to notify contributors one year after the date their contribution is posted in the repository, and annually thereafter. 38 | * Contributors must either confirm that their contribution remains accurate and relevant, or provide updates to maintain its accuracy and relevancy (e.g., to reflect recent changes to a source document). 39 | 40 | ### Representations and Warranties & Software Use Agreement  41 | Any references to commercial entities, products, services, or other nongovernmental organizations or individuals on the site are provided solely for the information of individuals using this page. These references are not intended to reflect the opinion of NIST, the Department of Commerce or the United States, or its officers or employees. Such references are not an official or personal endorsement of any product, person, or service, nor are they intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. Such references may not be quoted or reproduced for the purpose of stating or implying an endorsement, recommendation, or approval of any product, person, or service. 42 | This platform is provided as a public service. Information, data, and software posted to this platform is “AS IS.” NIST MAKES NO WARRANTY OF ANY KIND, EXPRESS, IMPLIED OR STATUTORY, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT AND DATA ACCURACY. NIST does not warrant or make any representations regarding the use of the software or the results thereof, including but not limited to the correctness, accuracy, reliability or usefulness of the software. You are solely responsible for determining the appropriateness of using and distributing the software and you assume all risks associated with its use, including but not limited to the risks and costs of program errors, compliance with applicable laws, damage to or loss of data, programs or equipment, and the unavailability or interruption of operation. This software is not intended to be used in any situation where a failure could cause risk of injury or damage to property. NIST SHALL NOT BE LIABLE AND YOU HEREBY RELEASE NIST FROM LIABILITY FOR ANY INDIRECT, CONSEQUENTIAL, SPECIAL, OR INCIDENTAL DAMAGES (INCLUDING DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, AND THE LIKE), WHETHER ARISING IN TORT, CONTRACT, OR OTHERWISE, ARISING FROM OR RELATING TO THE SOFTWARE (OR THE USE OF OR INABILITY TO USE THIS SOFTWARE), EVEN IF NIST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 43 | 44 | ## Additional Contribution Resources 45 | 46 | **GitHub Help:** If you're having trouble with these instructions, and need more information about GitHub, pull requests, and issues, visit GitHub's Help [page](https://help.github.com/categories/collaborating-with-issues-and-pull-requests/). 47 | 48 | **Contribution Assistance:** If you're having trouble submitting your contribution to this space, or otherwise would like to send us feedback, [contact us](mailto:privacyframework@nist.gov). 49 | 50 | ## Learn about the NIST Privacy Framework 51 | www.nist.gov/privacyframework 52 | 53 | ## Contact 54 | privacyframework@nist.gov 55 | -------------------------------------------------------------------------------- /resources/DPDPA Crosswalk/Contribution-Form.md: -------------------------------------------------------------------------------- 1 | # Crosswalk Contribution Form 2 | 3 | **Contributor:** Amey Kantak, Persistent Systems 4 | 5 | **Contributor GitHub Username:** @kantakgoa 6 | 7 | **Resource:** Decoding India Privacy – Digital Personal Data Protection Act (DPDPA), 2023 Crosswalk to NIST 8 | 9 | **Related Documentation:** NA 10 | 11 | **Crosswalk Name:** NIST Privacy Framework 1.0-Digital Personal Data Protection Act (DPDPA), 2023 Crosswalk 12 | 13 | **Source Name:** Digital Personal Data Protection Act, 2023 14 | 15 | **Link to Source:** https://www.meity.gov.in/writereaddata/files/Digital Personal Data Protection Act 2023.pdf 16 | 17 | **Source Type:** laws and regulations 18 | 19 | **Contributor Notes:** 20 | • Mapped elements represent where the DPDPA requires a control that would fall under the NIST Core subcategory or a control under the NIST Core subcategory would support activities under the DPDPA. 21 | • To make it easier for readers, the DPDPA legislation has been broken down chapter wise. Sections and Subsections have been mapped against relevant sections of the NIST Privacy Framework V1.0 in the NIST Privacy V1.0 Core to DPDPA worksheet. 22 | • Quick Reference worksheet has the DPDPA sections mapped to actual citation of the Digital Personal Data Protection Act (DPDPA), 2023 as well as mapping to the relevant sections of the EU GDPR to provide better context. 23 | • Readers will also notice that many of the Privacy Framework’s subcategories do not map neatly to the DPDPA. The DPDPA is an “umbrella” legislation, as it sets out only a high-level framework for India’s new data protection regime, with supplementary rules expected in due course. 24 | 25 | **Methodology ** 26 | • The NIST Privacy Framework was retrieved from the https://www.nist.gov/document/nist-privacy-framework-v10-core and the DPDPA ACT was retrieved from MEITY https://www.meity.gov.in/writereaddata/files/Digital Personal Data Protection Act 2023.pdf 27 | • Cybersecurity and Privacy Reference Tool CPRT has been leveraged for manually mapping to the DPDPA Act 2023. 28 | 29 | **Reasoning behind the mapping** 30 | Readers should note that the DPDPA does share common objectives of protecting individuals' privacy rights and regulating the processing of personal data with other privacy regulations such as CCPA or GDPR; however, each are shaped by distinct legal, cultural, and regulatory contexts. This leads to differences in scope, implementation, and enforcement mechanisms. 31 | For Example: 32 | 33 | • Chapter I – Preliminary of the bill focuses largely on definitions such as “Data Fiduciary”, “Data Principal”, etc which have been mapped to IDENTIFY-P (ID-P) and GOVERN-P (GV-P) as the definitions outline the scope of the Bill with respect to your organization. For example, the DPDPA Data Principal definition has parlance to GDPR Data Subject definition, however the DPDPA introduces child and guardian concept in the data principal description itself rather than defining the consent in a separate Art. 8: Child's consent or Art. 9: Processing special categories of data in the GDPR. 34 | 35 | • Chapter II - Obligations of Data Fiduciary has parlance to Technical and Organizational controls mandated in other global legislations which have been mapped largely to CONTROL-P (CT-P) and PROTECT-P (PR-P) in addition to other NIST Core subcategory. What sets DPDPA distinct from other regulations is the concept of “Consent Manager”. A "consent manager" within the context of the DPDPA refers to a mechanism or tool that enables Data Principals to exercise control over the processing of their personal data by providing informed and specific consent which can be then leveraged by the Data Fiduciary for processing. While specific details about the implementation of a consent manager under the DPDPA in India are yet to be finalized, it's likely that such a mechanism will play a crucial role in ensuring compliance with data protection requirements and empowering individuals to exercise control over their personal data. The ownership, accountability and responsibility are placed on the Data Fiduciary to ensure the these controls are implemented across the lifecycle of the processing irrespective if it is done by the Data Fiduciary itself or outsourced to third parties/processors and sub processors. 36 | 37 | **Historical Context** 38 | • Prior to the DPDPA, India’s data protection rules are made up of Section 43A and 87(2)(ob) of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. 39 | • In a historic decision delivered on 24th August 2017, the Indian Supreme Court bench unanimously recognised the fundamental right to privacy of every individual as guaranteed by the Constitution, within Article 21 in particular and Part III on the whole. 40 | • The ministry of electronics and information technology (MEITY) constituted A 10-member panel headed by retired Supreme Court judge BN Srikrishna in August 2017 to arrive at a data protection bill. https://www.meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf 41 | • The first draft of the Data Protection Bill came out in 2018. After various rounds of amendment in 2019 and 2021, the bill was scrapped and replaced with the Digital Personal Data Protection Bill, 2022. 42 | • On 18 November 2022, MEITY released the Digital Personal Data Protection Bill, 2022 for public consultation. 43 | • The Digital Personal Data Protection Act, 2023 (“DPDPA”) was passed by Lok Sabha (lower house of the Indian Parliament) on August 7, 2023, and by the Rajya Sabha (upper house of the Indian Parliament) on August 9, 2023. The DPDPA received the President’s assent and was enacted into law on August 11, 2023. Factors such as accountability, transparency, data minimisation, fairness, accuracy, and lawful processing of personal data have been reflected in the DPDPA. It addresses Data Principals as ‘she/her,’ which is unseen in any Indian law till date and sets the tone in a new light. 44 | • The DPDPA is “umbrella” legislation, as it sets out only a high-level framework for India’s new data protection regime, with supplementary rules expected in due course. 45 | 46 | **Disclaimer ** 47 | While every effort has been made to be complete and provide as much detail as necessary, no guarantee or warranty is provided on the accuracy or completeness of this mapping. You should use it as a starting point for your own analysis. Information on this crosswalk may not constitute the most up-to-date legal or other information. The views expressed in the content belong to the contributor and not the organization, its affiliates, or employees. Any links to third-party websites or sources are provided only for the convenience of the reader. 48 | 49 | --------------------------------------------------------------------------------