Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Resources
Documents
Publishers
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
OSCAL Profiles
NIST Special Publication 800-53 Revision 5.1.1 PRIVACY BASELINE
NIST Special Publication 800-53 Revision 5.1.1 PRIVACY BASELINE
An OSCAL Profile
Details
Prose
102 controls organized in 16 groups
AC - Access Control
3 Controls
AC-1 - Policy and Procedures
AC-3 - Access Enforcement
1 Subcontrol
AC-3.14 - Individual Access
AT - Awareness and Training
5 Controls
AT-1 - Policy and Procedures
AT-2 - Literacy Training and Awareness
AT-3 - Role-based Training
1 Subcontrol
AT-3.5 - Processing Personally Identifiable Information
AT-4 - Training Records
AU - Audit and Accountability
5 Controls
AU-1 - Policy and Procedures
AU-2 - Event Logging
AU-11 - Audit Record Retention
AU-3 - Content of Audit Records
1 Subcontrol
AU-3.3 - Limit Personally Identifiable Information Elements
CA - Assessment, Authorization, and Monitoring
6 Controls
CA-1 - Policy and Procedures
CA-2 - Control Assessments
CA-5 - Plan of Action and Milestones
CA-6 - Authorization
CA-7 - Continuous Monitoring
1 Subcontrol
CA-7.4 - Risk Monitoring
CM - Configuration Management
2 Controls
CM-1 - Policy and Procedures
CM-4 - Impact Analyses
IR - Incident Response
10 Controls
IR-1 - Policy and Procedures
IR-2 - Incident Response Training
1 Subcontrol
IR-2.3 - Breach
IR-3 - Incident Response Testing
IR-4 - Incident Handling
IR-5 - Incident Monitoring
IR-6 - Incident Reporting
IR-7 - Incident Response Assistance
IR-8 - Incident Response Plan
1 Subcontrol
IR-8.1 - Breaches
MP - Media Protection
2 Controls
MP-1 - Policy and Procedures
MP-6 - Media Sanitization
PL - Planning
6 Controls
PL-1 - Policy and Procedures
PL-2 - System Security and Privacy Plans
PL-4 - Rules of Behavior
1 Subcontrol
PL-4.1 - Social Media and External Site/Application Usage Restrictions
PL-8 - Security and Privacy Architectures
PL-9 - Central Management
PM - Program Management
25 Controls
PM-3 - Information Security and Privacy Resources
PM-4 - Plan of Action and Milestones Process
PM-6 - Measures of Performance
PM-7 - Enterprise Architecture
PM-8 - Critical Infrastructure Plan
PM-9 - Risk Management Strategy
PM-10 - Authorization Process
PM-11 - Mission and Business Process Definition
PM-13 - Security and Privacy Workforce
PM-14 - Testing, Training, and Monitoring
PM-17 - Protecting Controlled Unclassified Information on External Systems
PM-18 - Privacy Program Plan
PM-19 - Privacy Program Leadership Role
PM-20 - Dissemination of Privacy Program Information
1 Subcontrol
PM-20.1 - Privacy Policies on Websites, Applications, and Digital Services
PM-21 - Accounting of Disclosures
PM-22 - Personally Identifiable Information Quality Management
PM-24 - Data Integrity Board
PM-25 - Minimization of Personally Identifiable Information Used in Testing, Training, and Research
PM-26 - Complaint Management
PM-27 - Privacy Reporting
PM-28 - Risk Framing
PM-31 - Continuous Monitoring Strategy
PM-5 - System Inventory
1 Subcontrol
PM-5.1 - Inventory of Personally Identifiable Information
PS - Personnel Security
1 Control
PS-6 - Access Agreements
PT - Personally Identifiable Information Processing and Transparency
13 Controls
PT-1 - Policy and Procedures
PT-2 - Authority to Process Personally Identifiable Information
PT-3 - Personally Identifiable Information Processing Purposes
PT-4 - Consent
PT-5 - Privacy Notice
1 Subcontrol
PT-5.2 - Privacy Act Statements
PT-6 - System of Records Notice
2 Subcontrols
PT-6.1 - Routine Uses
PT-6.2 - Exemption Rules
PT-7 - Specific Categories of Personally Identifiable Information
2 Subcontrols
PT-7.1 - Social Security Numbers
PT-7.2 - First Amendment Information
PT-8 - Computer Matching Requirements
RA - Risk Assessment
4 Controls
RA-1 - Policy and Procedures
RA-3 - Risk Assessment
RA-7 - Risk Response
RA-8 - Privacy Impact Assessments
SA - System and Services Acquisition
8 Controls
SA-1 - Policy and Procedures
SA-2 - Allocation of Resources
SA-3 - System Development Life Cycle
SA-4 - Acquisition Process
SA-9 - External System Services
SA-11 - Developer Testing and Evaluation
SA-8 - Security and Privacy Engineering Principles
1 Subcontrol
SA-8.33 - Minimization
SI - System and Information Integrity
8 Controls
SI-1 - Policy and Procedures
SI-12 - Information Management and Retention
3 Subcontrols
SI-12.1 - Limit Personally Identifiable Information Elements
SI-12.2 - Minimize Personally Identifiable Information in Testing, Training, and Research
SI-12.3 - Information Disposal
SI-18 - Personally Identifiable Information Quality Operations
1 Subcontrol
SI-18.4 - Individual Requests
SI-19 - De-identification
PE - Physical and Environmental Protection
2 Controls
PE-8 - Visitor Access Records
1 Subcontrol
PE-8.3 - Limit Personally Identifiable Information Elements
SC - System and Communications Protection
2 Controls
SC-7 - Boundary Protection
1 Subcontrol
SC-7.24 - Personally Identifiable Information