NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-8(33)Minimization

Implement the privacy principle of minimization using {{ insert: param, sa-08.33_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

The principle of minimization states that organizations should only process personally identifiable information that is directly relevant and necessary to accomplish an authorized purpose and should only maintain personally identifiable information for as long as is necessary to accomplish the purpose. Organizations have processes in place, consistent with applicable laws and policies, to implement the principle of minimization.

Practitioner Notes

Minimization as a design principle means collecting, processing, and retaining only the minimum information necessary for the system's purpose. Less data means less risk.

Example 1: Review your data collection forms and database schemas. For every field, ask: 'Do we actually need this to perform the function?' If you collect date of birth but never use it for anything, stop collecting it. Less data stored means less data to protect and less damage if breached.

Example 2: Implement data retention policies that automatically purge data past its useful life. In Microsoft Purview, use Retention Labels to mark data with retention periods and automatically delete it when the period expires. Configure Exchange Online to purge deleted items after 30 days and apply retention policies to SharePoint content.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment