NIST SP 800-53, REV. 5 SECURITY AND PRIVACY CONTROLS FOR INFORMATION SYSTEMS AND ORGANIZATIONS
_________________________________________________________________________________________________
CHAPTER THREE PAGE 352
This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-53r5
Discussion: Information management and retention requirements cover the full life cycle of
information, in some cases extending beyond system disposal. Information to be retained may
also include policies, procedures, plans, reports, data output from control implementation, and
other types of administrative information. The National Archives and Records Administration
(NARA) provides federal policy and guidance on records retention and schedules.
If organizations
have a records management office, consider coordinating with records management personnel.
Records produced from the output of implemented controls that may require management and
retention include, but are not limited to: All XX-1,
AC-6(9), AT-4, AU-12, CA-2, CA-3, CA-5, CA-6,
CA-7, CA-8, CA-9, CM-2, CM-3, CM-4, CM-6, CM-8, CM-9, CM-12, CM-13, CP-2, IR-6, IR-8, MA-2,
MA-4, PE-2, PE-8, PE-16, PE-17, PL-2, PL-4, PL-7, PL-8, PM-5, PM-8, PM-9, PM-18, PM-21, PM-27,
PM-28, PM-30, PM-31, PS-2, PS-6, PS-7, PT-2, PT-3, PT-7, RA-2, RA-3, RA-5, RA-8, SA-4, SA-5, SA-8,
SA-10, SI-4, SR-2, SR-4, SR-8.
Related Controls: All XX-1 Controls, AC-16, AU-5, AU-11, CA-2, CA-3, CA-5, CA-6, CA-7, CA-9, CM-
5, CM-9, CP-2, IR-8, MP-2, MP-3, MP-4, MP-6, PL-2, PL-4, PM-4, PM-8, PM-9, PS-2, PS-6, PT-2, PT-
3, RA-2, RA-3, SA-5, SA-8, SR-2.
Control Enhancements:
(1) INFORMATION MANAGEMENT AND RETENTION | LIMIT PERSONALLY IDENTIFIABLE INFORMATION
ELEMENTS
Limit personally identifiable information being processed in the information life cycle to
the following elements of personally identifiable information: [Assignment: organization-
defined elements of personally identifiable information].
Discussion: Limiting the use of personally identifiable information throughout the
information life cycle when the information is not needed for operational purposes helps to
reduce the level of privacy risk created by a system. The information life cycle includes
information creation, collection, use, processing, storage, maintenance, dissemination,
disclosure, and disposition.
Risk assessments as well as applicable laws, regulations, and
policies can provide useful inputs to determining which elements of personally identifiable
information may create risk.
Related Controls: PM-25.
(2) INFORMATION MANAGEMENT AND RETENTION | MINIMIZE PERSONALLY IDENTIFIABLE
INFORMATION IN TESTING, TRAINING, AND RESEARCH
Use the following techniques to minimize the use of personally identifiable information for
research, testing, or training: [Assignment: organization-defined techniques].
Discussion: Organizations can minimize the risk to an individual’s privacy by employing
techniques such as de-identification or synthetic data. Limiting the use of personally
identifiable information throughout the information life cycle when the information is not
needed for research, testing, or training helps reduce the level of privacy risk created by a
system.
Risk assessments as well as applicable laws, regulations, and policies can provide
useful inputs to determining the techniques to use and when to use them.
Related Controls: PM-22, PM-25, SI-19.
(3) INFORMATION MANAGEMENT AND RETENTION | INFORMATION DISPOSAL
Use the following techniques to dispose of, destroy, or erase information following the
retention period: [Assignment: organization-defined techniques].
Discussion: Organizations can minimize both security and privacy risks by disposing of
information when it is no longer needed. The disposal or destruction of information applies
to originals as well as copies and archived records, including system logs that may contain
personally identifiable information.