NIST 800-53 REV 5 • PROGRAM MANAGEMENT

PM-20(1)Privacy Policies on Websites, Applications, and Digital Services

Develop and post privacy policies on all external-facing websites, mobile applications, and other digital services, that: Are written in plain language and organized in a way that is easy to understand and navigate; Provide information needed by the public to make an informed decision about whether and how to interact with the organization; and Are updated whenever the organization makes a substantive change to the practices it describes and includes a time/date stamp to inform the public of the date of the most recent changes.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Organizations post privacy policies on all external-facing websites, mobile applications, and other digital services. Organizations post a link to the relevant privacy policy on any known, major entry points to the website, application, or digital service. In addition, organizations provide a link to the privacy policy on any webpage that collects personally identifiable information. Organizations may be subject to applicable laws, executive orders, directives, regulations, or policies that require the provision of specific information to the public. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.

Practitioner Notes

Your websites, apps, and digital services must prominently display privacy policies that explain your data collection and use practices. This is especially important for public-facing services.

Example 1: Add a privacy policy link in the footer of every page on your website. If your site uses cookies or analytics, include a cookie consent banner that lets visitors opt in or out. Make sure the privacy policy specifically describes what each cookie and tracker does.

Example 2: For any web forms that collect personal information (contact forms, account signups), include a brief privacy notice directly on the form explaining what data is collected and why. Link to the full privacy policy. Use Microsoft Clarity or Google Analytics with anonymized IP settings and disclose this in your privacy policy.

More Program Management Controls

PM-1 Information Security Program Plan PM-2 Information Security Program Leadership Role PM-3 Information Security and Privacy Resources PM-4 Plan of Action and Milestones Process