NIST 800-53 REV 5 • PROGRAM MANAGEMENT
PM-18 — Privacy Program Plan
Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and: Includes a description of the structure of the privacy program and the resources dedicated to the privacy program; Provides an overview of the requirements for the privacy program and a description of the privacy program management controls and common controls in place or planned for meeting those requirements; Includes the role of the senior agency official for privacy and the identification and assignment of roles of other privacy officials and staff and their responsibilities; Describes management commitment, compliance, and the strategic goals and objectives of the privacy program; Reflects coordination among organizational entities responsible for the different aspects of privacy; and Is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and Update the plan {{ insert: param, pm-18_odp }} and to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments.
Supplemental Guidance
A privacy program plan is a formal document that provides an overview of an organization’s privacy program, including a description of the structure of the privacy program, the resources dedicated to the privacy program, the role of the senior agency official for privacy and other privacy officials and staff, the strategic goals and objectives of the privacy program, and the program management controls and common controls in place or planned for meeting applicable privacy requirements and managing privacy risks. Privacy program plans can be represented in single documents or compilations of documents. The senior agency official for privacy is responsible for designating which privacy controls the organization will treat as program management, common, system-specific, and hybrid controls. Privacy program plans provide sufficient information about the privacy program management and common controls (including the specification of parameters and assignment and selection operations explicitly or by reference) to enable control implementations that are unambiguously compliant with the intent of the plans and a determination of the risk incurred if the plans are implemented as intended. Program management controls are generally implemented at the organization level and are essential for managing the organization’s privacy program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. Together, the privacy plans for individual systems and the organization-wide privacy program plan provide complete coverage for the privacy controls employed within the organization. Common controls are documented in an appendix to the organization’s privacy program plan unless the controls are included in a separate privacy plan for a system. The organization-wide privacy program plan indicates which separate privacy plans contain descriptions of privacy controls.
Practitioner Notes
Just like your security program plan (PM-1), you need a separate privacy program plan that describes how your organization protects personally identifiable information across all systems and processes.
Example 1: Write a privacy program plan that covers what PII you collect, why you collect it, how long you keep it, who can access it, and how you dispose of it. Include your legal basis for processing (consent, contract, legal obligation) and your breach notification procedures.
Example 2: In Microsoft Purview Compliance Manager, use the Privacy assessment templates to track your privacy controls. The dashboard shows your privacy compliance score and identifies gaps in your program. Use the recommended improvement actions as your privacy program roadmap.