NIST 800-53 REV 5 • PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY

PT-2(2)Automation

Manage enforcement of the authorized processing of personally identifiable information using {{ insert: param, pt-02.02_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Automated mechanisms augment verification that only authorized processing is occurring.

Practitioner Notes

This enhancement automates the checking and enforcement of processing authorities, reducing reliance on people to remember and follow the rules manually.

Example 1: Configure your database or application to check a user's authorization against the data's purpose tag before allowing access. If a user does not have a role authorized for that data's stated purpose, the query is denied automatically.

Example 2: In Microsoft Purview, use automated DLP policies that detect and block unauthorized processing of labeled PII. For instance, if a document labeled 'PII - HR Only' is attached to an email going outside the HR group, the DLP policy blocks the send and notifies the sender of the restriction.

More Personally Identifiable Information Processing and Transparency Controls

PT-1 Policy and Procedures PT-2 Authority to Process Personally Identifiable Information PT-2(1) Data Tagging PT-3 Personally Identifiable Information Processing Purposes