NIST 800-53 REV 5 • PROGRAM MANAGEMENT

PM-25 — Minimization of Personally Identifiable Information Used in Testing, Training, and Research

Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research; Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes; Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and Review and update policies and procedures {{ insert: param, pm-25_prm_1 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

The use of personally identifiable information in testing, research, and training increases the risk of unauthorized disclosure or misuse of such information. Organizations consult with the senior agency official for privacy and/or legal counsel to ensure that the use of personally identifiable information in testing, training, and research is compatible with the original purpose for which it was collected. When possible, organizations use placeholder data to avoid exposure of personally identifiable information when conducting testing, training, and research.

Practitioner Notes

When you use data for testing, training, or research, you should minimize or eliminate real PII. Use synthetic, de-identified, or anonymized data instead so that a breach of test data does not expose real people's information.

Example 1: Before using production data in a test environment, run it through a data masking tool that replaces real names, SSNs, and addresses with realistic but fake values. Tools like Redgate Data Masker or open-source Faker libraries can generate convincing test data without real PII.

Example 2: Write a policy that prohibits using production databases in development or training environments without data sanitization. In Azure SQL, use Dynamic Data Masking to automatically obscure sensitive columns so developers see masked values while the application still functions normally.