SA-15(12)

Requirement

Require the developer of the system or system component to minimize the use of personally identifiable information in development and test environments.

Discussion

Organizations can minimize the risk to an individual's privacy by using techniques such as de-identification or synthetic data. Limiting the use of personally identifiable information in development and test environments helps reduce the level of privacy risk created by a system.

Title

Development Process, Standards, and Tools | Minimize Personally Identifiable Information
Family

System and Services Acquisition
NIST 800-53B Baseline(s)

NIST 800-53A Assessment Guidance

Examine

[SELECT FROM: System and services acquisition policy; system and services acquisition procedures; procedures addressing the development process; procedures addressing the minimization of personally identifiable information in testing, training, and research; personally identifiable information processing policy; procedures addressing the authority to test with personally identifiable information; standards and tools; solicitation documentation; service level agreements; acquisition contracts for the system or services; system security plan; privacy plan; other relevant documents or records].

Interview

[SELECT FROM: Organizational personnel with acquisition responsibilities; organizational personnel with information security and privacy responsibilities; system developer].

Test

[SELECT FROM: Organizational processes for the minimization of personally identifiable information in development and test environments; mechanisms to facilitate the minimization of personally identifiable information in development and test environments].

ID	Assessment Objectives
SA-15(12)	the developer of the system or system component is required to minimize the use of personally identifiable information in development and test environments.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!