NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY

SI-18(4)Individual Requests

Correct or delete personally identifiable information upon request by individuals or their designated representatives.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Inaccurate personally identifiable information maintained by organizations may cause problems for individuals, especially in those business functions where inaccurate information may result in inappropriate decisions or the denial of benefits and services to individuals. Even correct information, in certain circumstances, can cause problems for individuals that outweigh the benefits of an organization maintaining the information. Organizations use discretion when determining if personally identifiable information is to be corrected or deleted based on the scope of requests, the changes sought, the impact of the changes, and laws, regulations, and policies. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding appropriate instances of correction or deletion.

Practitioner Notes

Allow individuals to request corrections to their PII and process those requests in a timely manner.

Example 1: Provide a clear process (web form, email address, phone number) for individuals to request corrections to their PII. Set a maximum response time (e.g., 30 days) and track requests through your ticketing system.

Example 2: In your customer portal, allow users to submit change requests for their personal data. Route requests through a verification and approval workflow to prevent unauthorized changes. Notify the individual when their correction has been processed.

More System and Information Integrity Controls

SI-1 Policy and Procedures SI-2 Flaw Remediation SI-2(1) Central Management SI-2(2) Automated Flaw Remediation Status