CCI-004834

Require the developer of the system or system component to minimize the use of personally identifiable information in development and test environments.

Implementation Guidance

Determine if the developer of the system or system component is required to minimize the use of personally identifiable information in development and test environments.

Validation Procedures

Examine: [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; procedures addressing the development process; procedures addressing the minimization of personally identifiable information in testing, training, and research; personally identifiable information processing policy; procedures addressing the authority to test with personally identifiable information; standards and tools; solicitation documentation; service level agreements; acquisition contracts for the system or services; system security plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with acquisition responsibilities; organizational personnel with information security and privacy responsibilities; system developer]. Test: [SELECT FROM: Organizational processes for the minimization of personally identifiable information in development and test environments; mechanisms to facilitate the minimization of personally identifiable information in development and test environments].

The controls below (if any) were marked by NIST as being related to CCI-004834.