NIST 800-53 REV 5 • PHYSICAL AND ENVIRONMENTAL PROTECTION

PE-8(3)Limit Personally Identifiable Information Elements

Limit personally identifiable information contained in visitor access records to the following elements identified in the privacy risk assessment: {{ insert: param, pe-08.03_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Organizations may have requirements that specify the contents of visitor access records. Limiting personally identifiable information in visitor access records when such information is not needed for operational purposes helps reduce the level of privacy risk created by a system.

Practitioner Notes

Visitor access records often contain personal information (names, ID numbers, photos). This enhancement requires you to limit the PII collected to only what is necessary, based on a privacy risk assessment.

Example 1: Review your visitor sign-in form and remove any fields that are not necessary for security purposes. You likely need name, organization, host employee, and entry/exit times — but you may not need full address, phone number, or Social Security number.

Example 2: Configure your digital visitor management system to automatically purge visitor records after your required retention period. Set appropriate access controls so only security and compliance staff can view visitor PII. Include visitor data handling in your privacy documentation.

More Physical and Environmental Protection Controls

PE-1 Policy and Procedures PE-2 Physical Access Authorizations PE-2(1) Access by Position or Role PE-2(2) Two Forms of Identification