CCI-003455

Implementation Guidance

To the extent feasible, when designing information systems, the organization being inspected/assessed employs technologies and system capabilities that automate privacy controls on the collection, use, retention, and disclosure of personally identifiable information (PII). For example, when sharing records between systems, design the system to only share PII data fields within a record that are relevant to the purpose of sharing rather than sending the entire record (which may contain PII data fields that are not relevant to the purpose for sharing). Privacy requirements and controls should be identified during the concept and requirements development phases of system design, and design decisions should be documented in appropriate system artifacts throughout (e.g. system design documents, system security plans, interconnection security agreements, and Privacy Impact Assessments). By building privacy controls into system design and development, DoD Components mitigate privacy risks to PII, thereby reducing the likelihood of information system breaches and other privacy-related incidents. DoD Components also plan for and conduct periodic reviews of systems to determine the need for updates to maintain compliance with the Privacy Act as well as the DoD's and DoD Component's privacy policies. Regardless of whether automated privacy controls are employed, DoD Components regularly monitor information system use and sharing of PII to ensure that the use/sharing is consistent with the authorized purposes identified in the Privacy Act and/or in the public notice of organizations (e.g. System of Records Notices), or in a manner compatible with those purposes.

Validation Procedures

The organization conducting the inspection/assessment : 1. reviews policies and procedures that govern the organization's systems engineering lifecycle to ensure privacy requirements are included in the process., 2. obtains and examines system design documents and examines the information system to ensure it includes automated privacy controls, 3. examines plans for periodic reviews to ensure they are commensurate with the privacy risks identified for the system and that they are occurring based on the planned frequency; and 4. when available, examines results of reviews and associated action plans to address findings to ensure they are being addressed.

Compelling Evidence

1. Check documentation for reviews, policies, and procedures that govern the organization's systems engineering lifecycle to ensure privacy requirements are included in the process., 2. obtains and examines system design documents and examines the information system to ensure it includes automated privacy controls, 3. examines plans for periodic reviews to ensure they are commensurate with the privacy risks identified for the system and that they are occurring based on the planned frequency; and 4. when available, examines results of reviews and associated action plans to address findings to ensure they are being addressed.