NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY

SI-12(1)Limit Personally Identifiable Information Elements

Limit personally identifiable information being processed in the information life cycle to the following elements of personally identifiable information: {{ insert: param, si-12.01_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Limiting the use of personally identifiable information throughout the information life cycle when the information is not needed for operational purposes helps to reduce the level of privacy risk created by a system. The information life cycle includes information creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition. Risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to determining which elements of personally identifiable information may create risk.

Practitioner Notes

Limit the personally identifiable information (PII) elements your systems collect and maintain to only what is actually needed for your mission.

Example 1: Audit the PII your applications collect. Do you really need a Social Security number for every form, or would a less sensitive identifier work? Remove PII fields that are not essential for the business process.

Example 2: In your databases, identify all columns containing PII. For columns that are not necessary for daily operations, consider removing them or replacing them with de-identified alternatives. For example, replace full dates of birth with just the year if the exact date is not needed.

More System and Information Integrity Controls

SI-1 Policy and Procedures SI-2 Flaw Remediation SI-2(1) Central Management SI-2(2) Automated Flaw Remediation Status