NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY

SI-19(1)Collection

De-identify the dataset upon collection by not collecting personally identifiable information.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

If a data source contains personally identifiable information but the information will not be used, the dataset can be de-identified when it is created by not collecting the data elements that contain the personally identifiable information. For example, if an organization does not intend to use the social security number of an applicant, then application forms do not ask for a social security number.

Practitioner Notes

De-identify information at the point of collection when full PII is not needed for the stated purpose.

Example 1: If collecting survey responses, do not collect names or other identifiers unless they are essential to the survey purpose. Assign random identifiers at collection and store any linking table (if needed for follow-up) separately with restricted access.

Example 2: For website analytics, configure your tools to anonymize IP addresses at collection time. Google Analytics offers an IP anonymization feature that truncates visitor IP addresses before storage.

More System and Information Integrity Controls

SI-1 Policy and Procedures SI-2 Flaw Remediation SI-2(1) Central Management SI-2(2) Automated Flaw Remediation Status