NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY

SI-19(5)Statistical Disclosure Control

Manipulate numerical data, contingency tables, and statistical findings so that no individual or organization is identifiable in the results of the analysis.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Many types of statistical analyses can result in the disclosure of information about individuals even if only summary information is provided. For example, if a school that publishes a monthly table with the number of minority students enrolled, reports that it has 10-19 such students in January, and subsequently reports that it has 20-29 such students in March, then it can be inferred that the student who enrolled in February was a minority.

Practitioner Notes

Apply statistical disclosure control techniques to prevent identification of individuals from aggregate or statistical data.

Example 1: When publishing statistics, suppress cells with small counts (fewer than 5 individuals) to prevent identification. If only 2 people in your organization match a specific demographic combination, reporting their average salary effectively reveals individual data.

Example 2: Add random noise to published statistics so exact values cannot be used for re-identification. Instead of reporting that exactly 47 employees completed a training, report "approximately 45-50" or add Laplacian noise to the exact count.

More System and Information Integrity Controls

SI-1 Policy and Procedures SI-2 Flaw Remediation SI-2(1) Central Management SI-2(2) Automated Flaw Remediation Status