CCI-003550

The organization updates, per organization-defined frequency, an inventory that contains a listing of all information systems identified as collecting, using, maintaining, or sharing personally identifiable information (PII).

Implementation Guidance

The organization being inspected/assessed documents and implements a process to update, within three years of PIA approval and when a significant system change or a change in privacy or security posture occurs, an inventory that contains a listing of all information systems identified as collecting, using, maintaining, or sharing PII. The organization must maintain an audit trail of updates. DoD has defined the frequency as within three years of PIA approval and when a significant system change or a change in privacy or security posture occurs.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of updates to ensure the organization being inspected/assessed updates, within three years of PIA approval and when a significant system change or a change in privacy or security posture occurs, an inventory that contains a listing of all information systems identified as collecting, using, maintaining, or sharing PII. DoD has defined the frequency as within three years of PIA approval and when a significant system change or a change in privacy or security posture occurs.

Compelling Evidence

reference in SSP the frequency at which information system inventory updates are to occur. Examine inventory list and ensure it is within defined interval

The controls below (if any) were marked by NIST as being related to CCI-003550.