NIST 800-53 REV 5 • PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY
PT-6 — System of Records Notice
For systems that process information that will be maintained in a Privacy Act system of records: Draft system of records notices in accordance with OMB guidance and submit new and significantly modified system of records notices to the OMB and appropriate congressional committees for advance review; Publish system of records notices in the Federal Register; and Keep system of records notices accurate, up-to-date, and scoped in accordance with policy.
Supplemental Guidance
The [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) requires that federal agencies publish a system of records notice in the Federal Register upon the establishment and/or modification of a [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) system of records. As a general matter, a system of records notice is required when an agency maintains a group of any records under the control of the agency from which information is retrieved by the name of an individual or by some identifying number, symbol, or other identifier. The notice describes the existence and character of the system and identifies the system of records, the purpose(s) of the system, the authority for maintenance of the records, the categories of records maintained in the system, the categories of individuals about whom records are maintained, the routine uses to which the records are subject, and additional details about the system as described in [OMB A-108](#3671ff20-c17c-44d6-8a88-7de203fa74aa).
Practitioner Notes
A System of Records Notice (SORN) is a formal notice published in the Federal Register describing a system that maintains records about individuals from which information is retrieved by personal identifier. This is a federal agency requirement.
Example 1: Before deploying a new system that stores PII retrievable by name or SSN, draft and publish a SORN that describes the system name, categories of individuals covered, types of records maintained, authority for maintenance, routine uses, and how individuals can access or contest their records.
Example 2: Maintain a SORN inventory that lists all published SORNs, their publication dates, the systems they cover, and the next scheduled review date. Review each SORN every two years or whenever the system undergoes a significant change to ensure the notice is still accurate.