CCI-003552

The organization provides each update of the personally identifiable information (PII) inventory to the CIO or information security official, per organization-defined frequency, to support the establishment of information security requirements for all new or modified information systems containing PII.

Implementation Guidance

The organization being inspected/assessed documents and implements a process to provide each update of the PII inventory to the CIO or information security official, within three years of PIA approval and when a significant system change or a change in privacy or security posture occurs, to support the establishment of information security requirements for all new or modified information systems containing PII. DoD has defined the frequency as within three years of PIA approval and when a significant system change or a change in privacy or security posture occurs.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed provides each update of the PII inventory to the CIO or information security official, within three years of PIA approval and when a significant system change or a change in privacy or security posture occurs, to support the establishment of information security requirements for all new or modified information systems containing PII. DoD has defined the frequency as within three years of PIA approval and when a significant system change or a change in privacy or security posture occurs.

Compelling Evidence

Show current inventory list in CIO possession. Reference in SSP the frequency at which CIO is to be informed of inventory update.

The controls below (if any) were marked by NIST as being related to CCI-003552.