NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY

SI-19(3)Release

Remove personally identifiable information elements from a dataset prior to its release if those elements in the dataset do not need to be part of the data release.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Prior to releasing a dataset, a data custodian considers the intended uses of the dataset and determines if it is necessary to release personally identifiable information. If the personally identifiable information is not necessary, the information can be removed using de-identification techniques.

Practitioner Notes

De-identify data before releasing it to third parties or making it publicly available.

Example 1: Before sharing incident response data with an ISAC (Information Sharing and Analysis Center), remove all internal hostnames, IP addresses, employee names, and customer information. Share only the threat indicators and attack patterns.

Example 2: If publishing research data, use k-anonymity or l-diversity techniques to ensure no individual can be identified from the released dataset. Test with re-identification tools before publication to verify the de-identification is effective.

More System and Information Integrity Controls

SI-1 Policy and Procedures SI-2 Flaw Remediation SI-2(1) Central Management SI-2(2) Automated Flaw Remediation Status