Navigate

CCI-003589

CCI-003589 Definition

The organization shares personally identifiable information (PII) externally, only for the authorized purposes identified in the Privacy Act and/or described in its notice(s) or for a purpose that is compatible with those purposes.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed documents and implements a process to share IAW DoDD 5400.11 and DoD 5400.11-R, PII externally, only for the authorized purposes or for a purpose that is compatible with those purposes. Planned use of PII must be identified and documented as an authorized purposes in the corresponding SORN, PIA, security plan, or other system-specific document.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed shares IAW DoD 5400.11, PII externally, only for the authorized purposes or for a purpose that is compatible with those purposes. Planned use of PII must be identified and documented as an authorized purposes in the corresponding SORN, PIA, security plan, or other system-specific document.

Compelling Evidence

1.) Produce signed and dated SSP 2.) Reference section pertaining to PII, and verify the SSP defines a process to share IAW DoDD 5400.11 and DoD 5400.11-R, PII externally, only for the authorized purposes or for a purpose that is compatible with those purposes. 3.) Verify planned use of PII is identified and documented as an authorized purposes in the corresponding SORN, PIA, security plan, or other system-specific document

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003589.

Control	Description
UL-2	The organization: a. Shares personally identifiable information (PII) externally, only for the authorized purposes identified in the Privacy Act and/or described in its notice(s) or for a purpose that is compatible with those purposes; b. Where appropriate, enters into Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements, with third parties that specifically describe the PII covered and specifically enumerate the purposes for which the PII may be used; c. Monitors, audits, and trains its staff on the authorized sharing of PII with third parties and on the consequences of unauthorized use or sharing of PII; and d. Evaluates any proposed new instances of sharing PII with third parties to assess whether the sharing is authorized and whether additional or new public notice is required.

Control

Description

UL-2

The organization: a. Shares personally identifiable information (PII) externally, only for the authorized purposes identified in the Privacy Act and/or described in its notice(s) or for a purpose that is compatible with those purposes; b. Where appropriate, enters into Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements, with third parties that specifically describe the PII covered and specifically enumerate the purposes for which the PII may be used; c. Monitors, audits, and trains its staff on the authorized sharing of PII with third parties and on the consequences of unauthorized use or sharing of PII; and d. Evaluates any proposed new instances of sharing PII with third parties to assess whether the sharing is authorized and whether additional or new public notice is required.