CCI-003395

The organization determines and documents the legal authority that permits the sharing of personally identifiable information (PII), either generally or in support of a specific program or information system need.

Implementation Guidance

The organization being inspected/assessed identifies and documents in applicable privacy notices and privacy impact assessment, the legal authority applicable to the information system permitting the collection of PII IAW 5 USC 552a, DoDD 5400.11, DoD 5400.11-R, and DoDD 5400.16.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the applicable privacy documentation to ensure the organization being inspected/assessed has documented the legal authority that permits the dissemination or sharing of PII, and that such dissemination or sharing is related to, and compatible with, the purpose and scope of the authority described in the privacy documentation.

Compelling Evidence

1.) Site must produce signed and/or published PII documentation which describes PII policy on the sharing of PII. Such PII documentation may include, but is not limited to, the relevant Privacy Act system of records notice, the DD 2930 (Privacy Impact Assessment), the system privacy plan (SPP), Computer Matching Act agreement, MOA or MOU.

The controls below (if any) were marked by NIST as being related to CCI-003395.