NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY

SI-4(19)Risk for Individuals

Implement {{ insert: param, si-04.19_odp.01 }} of individuals who have been identified by {{ insert: param, si-04.19_odp.02 }} as posing an increased level of risk.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Indications of increased risk from individuals can be obtained from different sources, including personnel records, intelligence agencies, law enforcement organizations, and other sources. The monitoring of individuals is coordinated with the management, legal, security, privacy, and human resource officials who conduct such monitoring. Monitoring is conducted in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Practitioner Notes

When monitoring systems, consider the risk to individuals whose data may be collected — ensure monitoring does not disproportionately invade privacy.

Example 1: Define clear boundaries for employee monitoring in your acceptable use policy. Specify what is monitored (network traffic, email headers) and what is not (personal device content off the corporate network). Get legal review and employee acknowledgment.

Example 2: Anonymize or pseudonymize monitoring data where possible until an investigation is warranted. Your SIEM can track user IDs internally but only reveal the actual identity when a security analyst opens a formal investigation with manager approval.

More System and Information Integrity Controls

SI-1 Policy and Procedures SI-2 Flaw Remediation SI-2(1) Central Management SI-2(2) Automated Flaw Remediation Status