Nist 800 122
16 community-sourced questions and answers. Free — no login.
Organizations should minimize the use, collection, and retention of PII to what is strictly necessary to accomplish their business purpose and mission.
- Review current holding of PII and ensure they are accurate, relevant, timely, and complete. - Reduce PII holdings to the minimum necessary for proper performance of agency functions. - Develop a schedule for periodic review of PII holdings. - Establish a plan to eliminate the unnecessary collection and use of SSN's
Organizations should categorize their PII by PII confidentiality impact level
Organizations should evaluate how easily PII can be used to identify specific individuals.
Identifiability
Organizations should consider how many individuals can be identified from the PII. Breaches of 25 records and 25 million records may have different impacts.
Quantity of PII
Organizations should evaluate the sensitivity of each individual PII data field.
Data Field Sensitivity
Organizations should evaluate the context of use - the purpose for which the PII is collected, stored, used, processed, disclosed, or disseminated.
Context of Use
An organization that is subject to any obligations to protect PII should consider such obligations when determining the PII confidentiality impact level.
Obligations to Protect Confidentiality
Organizations may choose to take into consideration the nature of authorized access to and the location of PII.
Access to and Location of PII
Not all PII should be protected in the same way.
Organizations should apply the appropriate safeguards for PII based on the PII confidentiality impact level
Organizations should develop comprehensive policies and procedures for protecting the confidentiality of PII.
Creating Policies and Procedures.
Organizations should reduce the possibility that PII will be accessed, used, or disclosed inappropriately by requiring that all individuals receive appropriate training before being granted access to systems containing PII.
Conducting Training
Organizations can de-identify records by removing enough PII such that the remaining information does not identify an individual and there is no reasonable basis to believe that the information can be used to identify and individual.
De-Identifying PII
Organizations can control access to PII through access control policies and access enforcement mechanisms.
Using Access Enforcement
Organizations can prohibit or strictly limit access to PII from portable and mobile devices, such as laptops, cell phones, and personal digital assistants (PDA), which are generally higher-risk than non-portable devices (e.g., desktop computers at the organization's facilities).
Implementing Access Control for Mobile Devices
Organizations can protect the confidentiality of transmitted PII. This is most often accomplished by encrypting the communications or by encrypting the information before it is transmitted.
Providing Transmission Confidentiality
Organizations can monitor events that affect the confidentiality of PII, such as inappropriate access to PII.
Auditing Events
Breaches involving PII are hazardous to both individuals and organizations.
Looking for a different version?
CBTs get updated every year. Search for the exact version you're taking (e.g. "cyber awareness 2025").
Search all study materials