NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY

SI-19(2)Archiving

Prohibit archiving of personally identifiable information elements if those elements in a dataset will not be needed after the dataset is archived.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Datasets can be archived for many reasons. The envisioned purposes for the archived dataset are specified, and if personally identifiable information elements are not required, the elements are not archived. For example, social security numbers may have been collected for record linkage, but the archived dataset may include the required elements from the linked records. In this case, it is not necessary to archive the social security numbers.

Practitioner Notes

De-identify PII before archiving data for long-term storage. Archived data often has weaker access controls, so removing PII reduces risk.

Example 1: Before moving old project data to archive storage, run a de-identification script that replaces employee names with generic identifiers, removes email addresses, and generalizes dates. Archive the de-identified version.

Example 2: Configure your database archival process to automatically apply data masking rules when moving records to archive tables. Direct identifiers are stripped and quasi-identifiers are generalized before the records are written to the archive.

More System and Information Integrity Controls

SI-1 Policy and Procedures SI-2 Flaw Remediation SI-2(1) Central Management SI-2(2) Automated Flaw Remediation Status