NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-7(24)Personally Identifiable Information

For systems that process personally identifiable information: Apply the following processing rules to data elements of personally identifiable information: {{ insert: param, sc-07.24_odp }}; Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system; Document each processing exception; and Review and remove exceptions that are no longer supported.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Managing the processing of personally identifiable information is an important aspect of protecting an individual’s privacy. Applying, monitoring for, and documenting exceptions to processing rules ensure that personally identifiable information is processed only in accordance with established privacy requirements.

Practitioner Notes

When personally identifiable information (PII) crosses network boundaries, extra protections must be in place — encryption, access controls, and monitoring — to prevent unauthorized disclosure.

Example 1: Configure Microsoft Purview DLP policies to detect and block outbound email or file transfers containing PII (Social Security numbers, dates of birth, financial data). Set policies to encrypt PII automatically if it must be transmitted externally.

Example 2: On your firewall, create specific logging rules for traffic to and from systems that store PII (HR databases, patient records). Forward these logs to your SIEM with alerts for unusual data transfer volumes that could indicate a breach.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability