NIST 800-53 REV 5 • PROGRAM MANAGEMENT

PM-19Privacy Program Leadership Role

Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

The privacy officer is an organizational official. For federal agencies—as defined by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines—this official is designated as the senior agency official for privacy. Organizations may also refer to this official as the chief privacy officer. The senior agency official for privacy also has roles on the data management board (see [PM-23](#pm-23) ) and the data integrity board (see [PM-24](#pm-24)).

Practitioner Notes

Appoint someone with authority and resources to lead your privacy program. For federal agencies this is the Senior Agency Official for Privacy (SAOP). For private companies, this might be a privacy officer, DPO, or a senior manager with privacy responsibilities.

Example 1: Issue a formal memo designating your privacy program lead. Define their responsibilities: overseeing PII inventories, approving privacy impact assessments, managing breach response, and reporting privacy metrics to leadership.

Example 2: Assign your designated privacy lead the Privacy Management role in Microsoft Purview so they have access to privacy dashboards, data subject request tools, and compliance reports. This gives them the technical visibility needed to manage the program effectively.

More Program Management Controls

PM-1 Information Security Program Plan PM-2 Information Security Program Leadership Role PM-3 Information Security and Privacy Resources PM-4 Plan of Action and Milestones Process