NIST 800-53 REV 5 • PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY
PT-8 — Computer Matching Requirements
When a system or organization processes information for the purpose of conducting a matching program: Obtain approval from the Data Integrity Board to conduct the matching program; Develop and enter into a computer matching agreement; Publish a matching notice in the Federal Register; Independently verify the information produced by the matching program before taking adverse action against an individual, if required; and Provide individuals with notice and an opportunity to contest the findings before taking adverse action against an individual.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
Supplemental Guidance
The [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) establishes requirements for federal and non-federal agencies if they engage in a matching program. In general, a matching program is a computerized comparison of records from two or more automated [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) systems of records or an automated system of records and automated records maintained by a non-federal agency (or agent thereof). A matching program either pertains to federal benefit programs or federal personnel or payroll records. A federal benefit match is performed to determine or verify eligibility for payments under federal benefit programs or to recoup payments or delinquent debts under federal benefit programs. A matching program involves not just the matching activity itself but also the investigative follow-up and ultimate action, if any.
Practitioner Notes
Computer matching involves comparing records from two or more automated systems of records to find or verify information about individuals. Federal agencies conducting matching programs must follow specific procedural requirements.
Example 1: Before starting a computer matching program, execute a written matching agreement between the participating agencies that specifies the purpose, records to be matched, accuracy assurances, and protections for individual rights. Submit the agreement to the Data Integrity Board for approval.
Example 2: Notify affected individuals and provide due process before taking adverse action based on matching results. For example, if a match indicates someone is receiving benefits they should not, provide written notice and an opportunity to contest the finding before reducing or terminating benefits. Document the entire process.