NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY

SI-19(7)Validated Algorithms and Software

Perform de-identification using validated algorithms and software that is validated to implement the algorithms.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Algorithms that appear to remove personally identifiable information from a dataset may in fact leave information that is personally identifiable or data that is re-identifiable. Software that is claimed to implement a validated algorithm may contain bugs or implement a different algorithm. Software may de-identify one type of data, such as integers, but not de-identify another type of data, such as floating point numbers. For these reasons, de-identification is performed using algorithms and software that are validated.

Practitioner Notes

Use validated, peer-reviewed algorithms and software for de-identification — do not invent your own de-identification methods.

Example 1: Use established de-identification tools like ARX (open-source data anonymization tool) that implement well-tested algorithms for k-anonymity, l-diversity, and t-closeness. These tools have been peer-reviewed and validated for correctness.

Example 2: When using commercial de-identification products, verify that the vendor documents their algorithms and has had them independently validated. Request documentation of the specific de-identification techniques used and their known limitations.

More System and Information Integrity Controls

SI-1 Policy and Procedures SI-2 Flaw Remediation SI-2(1) Central Management SI-2(2) Automated Flaw Remediation Status