NIST 800-53 REV 5 • PROGRAM MANAGEMENT
PM-5(1) — Inventory of Personally Identifiable Information
Establish, maintain, and update {{ insert: param, pm-05.01_odp }} an inventory of all systems, applications, and projects that process personally identifiable information.
Supplemental Guidance
An inventory of systems, applications, and projects that process personally identifiable information supports the mapping of data actions, providing individuals with privacy notices, maintaining accurate personally identifiable information, and limiting the processing of personally identifiable information when such information is not needed for operational purposes. Organizations may use this inventory to ensure that systems only process the personally identifiable information for authorized purposes and that this processing is still relevant and necessary for the purpose specified therein.
Practitioner Notes
This enhancement focuses specifically on tracking which of your systems handle personally identifiable information (PII). You need a dedicated inventory that maps where PII lives across your organization.
Example 1: Conduct a data mapping exercise where each department identifies what PII they collect (names, SSNs, addresses), where it is stored (database, file share, email), and who has access to it. Document this in a PII inventory matrix and review it annually.
Example 2: In Microsoft Purview, use Data Classification → Content Explorer to scan your M365 environment for documents containing sensitive information types like Social Security numbers, credit card numbers, or health records. The results automatically feed your PII inventory.