SI-19(4)

  • Requirement

    Remove, mask, encrypt, hash, or replace direct identifiers in a dataset.

  • Discussion

    There are many possible processes for removing direct identifiers from a dataset. Columns in a dataset that contain a direct identifier can be removed. In masking, the direct identifier is transformed into a repeating character, such as XXXXXX or 999999. Identifiers can be encrypted or hashed so that the linked records remain linked. In the case of encryption or hashing, algorithms are employed that require the use of a key, including the Advanced Encryption Standard or a Hash-based Message Authentication Code. Implementations may use the same key for all identifiers or use a different key for each identifier. Using a different key for each identifier provides a higher degree of security and privacy. Identifiers can alternatively be replaced with a keyword, including transforming George Washington to PATIENT or replacing it with a surrogate value, such as transforming George Washington to Abraham Polk.

More Info

  • Title

    De-identification | Removal, Masking, Encryption, Hashing, or Replacement of Direct Identifiers
  • Family

    System and Information Integrity
  • NIST 800-53B Baseline(s)

    • Related NIST 800-53 ID

      SC-12;SC-13

    NIST 800-53A Assessment Guidance

    CMMC Training

    Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!