Home / Frameworks / NIST 800-53 / PRIVACY Baseline

NIST SP 800-53 Revision 5

Security and Privacy Controls for Information Systems and Organizations

1196 All 149 Low 287 Moderate 370 High 96 Privacy

Showing 96 controls in PRIVACY baseline

AC — Access Control (2 controls)

AC-1Policy And Procedures

AC-3(14)Individual Access

AT — Awareness and Training (5 controls)

AT-1Policy And Procedures

AT-2Literacy Training And Awareness

AT-3Role-Based Training

AT-3(5)Processing Personally Identifiable Information

AT-4Training Records

AU — Audit and Accountability (4 controls)

AU-1Policy And Procedures

AU-2Event Logging

AU-3(3)Limit Personally Identifiable Information Elements

AU-11Audit Record Retention

CA — Assessment, Authorization, and Monitoring (6 controls)

CA-1Policy And Procedures

CA-2Control Assessments

CA-5Plan Of Action And Milestones

CA-6Authorization

CA-7Continuous Monitoring

CA-7(4)Risk Monitoring

CM — Configuration Management (2 controls)

CM-1Policy And Procedures

CM-4Impact Analyses

IR — Incident Response (10 controls)

IR-1Policy And Procedures

IR-2Incident Response Training

IR-3Incident Response Testing

IR-4Incident Handling

IR-5Incident Monitoring

IR-6Incident Reporting

IR-7Incident Response Assistance

IR-8Incident Response Plan

IR-8(1)Breaches

MP — Media Protection (2 controls)

MP-1Policy And Procedures

MP-6Media Sanitization

PE — Physical and Environmental Protection (1 controls)

PE-8(3)Limit Personally Identifiable Information Elements

PL — Planning (6 controls)

PL-1Policy And Procedures

PL-2System Security And Privacy Plans

PL-4Rules Of Behavior

PL-4(1)Social Media And External Site/Application Usage Restrictions

PL-8Security And Privacy Architectures

PL-9Central Management

PM — Program Management (24 controls)

PM-3Information Security And Privacy Resources

PM-4Plan Of Action And Milestones Process

PM-5(1)Inventory Of Personally Identifiable Information

PM-6Measures Of Performance

PM-7Enterprise Architecture

PM-8Critical Infrastructure Plan

PM-9Risk Management Strategy

PM-10Authorization Process

PM-11Mission And Business Process Definition

PM-13Security And Privacy Workforce

PM-14Testing, Training, And Monitoring

PM-17Protecting Controlled Unclassified Information On External Systems

PM-18Privacy Program Plan

PM-19Privacy Program Leadership Role

PM-20Dissemination Of Privacy Program Information

PM-20(1)Privacy Policies On Websites, Applications, And Digital Services

PM-21Accounting Of Disclosures

PM-22Personally Identifiable Information Quality Management

PM-24Data Integrity Board

PM-25Minimization Of Personally Identifiable Information Used In Testing, Training, And Research

PM-26Complaint Management

PM-27Privacy Reporting

PM-28Risk Framing

PM-31Continuous Monitoring Strategy

PS — Personnel Security (1 controls)

PS-6Access Agreements

PT — PII Processing and Transparency (13 controls)

PT-1Policy And Procedures

PT-2Authority To Process Personally Identifiable Information

PT-3Personally Identifiable Information Processing Purposes

PT-5Privacy Notice

PT-5(2)Privacy Act Statements

PT-6System Of Records Notice

PT-6(1)Routine Uses

PT-6(2)Exemption Rules

PT-7Specific Categories Of Personally Identifiable Information

PT-7(1)Social Security Numbers

PT-7(2)First Amendment Information

PT-8Computer Matching Requirements

RA — Risk Assessment (4 controls)

RA-1Policy And Procedures

RA-3Risk Assessment

RA-7Risk Response

RA-8Privacy Impact Assessments

SA — System and Services Acquisition (7 controls)

SA-1Policy And Procedures

SA-2Allocation Of Resources

SA-3System Development Life Cycle

SA-4Acquisition Process

SA-8(33)Minimization

SA-9External System Services

SA-11Developer Testing And Evaluation

SC — System and Communications Protection (1 controls)

SC-7(24)Personally Identifiable Information

SI — System and Information Integrity (8 controls)

SI-1Policy And Procedures

SI-12Information Management And Retention

SI-12(1)Limit Personally Identifiable Information Elements

SI-12(2)Minimize Personally Identifiable Information In Testing, Training, And Research

SI-12(3)Information Disposal

SI-18Personally Identifiable Information Quality Operations

SI-18(4)Individual Requests

SI-19De-Identification