NIST 800-53 REV 5 • PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY

PT-2(1)Data Tagging

Attach data tags containing {{ insert: param, pt-02.01_odp.01 }} to {{ insert: param, pt-02.01_odp.02 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Data tags support the tracking and enforcement of authorized processing by conveying the types of processing that are authorized along with the relevant elements of personally identifiable information throughout the system. Data tags may also support the use of automated tools.

Practitioner Notes

Data tagging means labeling PII with metadata that indicates the legal authority and purpose for which the data was collected. This makes it possible to automatically enforce processing rules based on those tags.

Example 1: In your database schema, add metadata fields that tag each PII record with its collection purpose (e.g., 'employment,' 'contract administration,' 'benefits') and legal authority. These tags help ensure the data is not repurposed beyond its original authorization.

Example 2: Use Microsoft Purview Sensitivity Labels to tag documents containing PII with their processing authority. Create labels like 'PII - Consent Based' and 'PII - Legal Obligation' and apply them to documents and emails. Configure DLP policies to enforce different handling rules based on the label.

More Personally Identifiable Information Processing and Transparency Controls

PT-1 Policy and Procedures PT-2 Authority to Process Personally Identifiable Information PT-2(2) Automation PT-3 Personally Identifiable Information Processing Purposes