• Requirement

    For systems that process personally identifiable information:

    1. Apply the following processing rules to data elements of personally identifiable information: [Assignment: organization-defined processing rules];
    2. Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system;
    3. Document each processing exception; and
    4. Review and remove exceptions that are no longer supported.
  • Discussion

    Managing the processing of personally identifiable information is an important aspect of protecting an individual's privacy. Applying, monitoring for, and documenting exceptions to processing rules ensure that personally identifiable information is processed only in accordance with established privacy requirements.

More Info

  • Title

    Boundary Protection | Personally Identifiable Information
  • Family

    System and Communications Protection
  • NIST 800-53B Baseline(s)

    • Privacy
  • Related NIST 800-53 ID


NIST 800-53A Assessment Guidance

CMMC Training

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!