Navigate

CCI-003593

CCI-003593 Definition

The organization audits its staff on the authorized sharing of personally identifiable information (PII) with third parties.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed documents and implements a process IAW DoDD 5400.11 and DoD 5400.11-R, to audit its staff on the authorized sharing of PII with third parties. The organization must maintain records of audits.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented process as well as the records of audits to ensure the organization being inspected/assessed audits its staff, IAW DoDD 5400.11 and DoD 5400.11-R, on the authorized sharing of PII with third parties.

Compelling Evidence

1.) Produce signed and dated SSP 2.) Reference section pertaining to PII, and verify the SSP defines a process IAW DoDD 5400.11 and DoD 5400.11-R, to audit its staff on the authorized sharing of PII with third parties. 3.) Validate the site is implementing this process 4.) Produce records of audits

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003593.

Control	Description
UL-2	The organization: UL-2a.: Shares personally identifiable information (PII) externally, only for the authorized purposes identified in the Privacy Act and/or described in its notice(s) or for a purpose that is compatible with those purposes; UL-2b.: Where appropriate, enters into Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements, with third parties that specifically describe the PII covered and specifically enumerate the purposes for which the PII may be used; UL-2c.: Monitors, audits, and trains its staff on the authorized sharing of PII with third parties and on the consequences of unauthorized use or sharing of PII; and UL-2d.: Evaluates any proposed new instances of sharing PII with third parties to assess whether the sharing is authorized and whether additional or new public notice is required.

Control

Description

UL-2

The organization:

UL-2a.: Shares personally identifiable information (PII) externally, only for the authorized purposes identified in the Privacy Act and/or described in its notice(s) or for a purpose that is compatible with those purposes;

UL-2b.: Where appropriate, enters into Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements, with third parties that specifically describe the PII covered and specifically enumerate the purposes for which the PII may be used;

UL-2c.: Monitors, audits, and trains its staff on the authorized sharing of PII with third parties and on the consequences of unauthorized use or sharing of PII; and

UL-2d.: Evaluates any proposed new instances of sharing PII with third parties to assess whether the sharing is authorized and whether additional or new public notice is required.