NIST 800-53 REV 5 • PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY
PT-7(1) — Social Security Numbers
When a system processes Social Security numbers: Eliminate unnecessary collection, maintenance, and use of Social Security numbers, and explore alternatives to their use as a personal identifier; Do not deny any individual any right, benefit, or privilege provided by law because of such individual’s refusal to disclose his or her Social Security number; and Inform any individual who is asked to disclose his or her Social Security number whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
Supplemental Guidance
Federal law and policy establish specific requirements for organizations’ processing of Social Security numbers. Organizations take steps to eliminate unnecessary uses of Social Security numbers and other sensitive information and observe any particular requirements that apply.
Practitioner Notes
Social Security numbers (SSNs) require special handling due to the severe consequences of unauthorized disclosure. Eliminate unnecessary SSN collection and protect SSNs wherever they must be used.
Example 1: Audit all forms, databases, and processes that collect or store SSNs. Eliminate SSN collection wherever an alternative identifier can be used (employee ID, account number). Where SSNs must be used, mask them so only the last four digits are displayed and the full number is encrypted at rest.
Example 2: In Microsoft 365, create a DLP policy using the built-in U.S. Social Security Number (SSN) sensitive information type. Configure the policy to block SSNs from being sent in email, uploaded to unapproved cloud storage, or shared in Teams chats. Alert the privacy officer when violations are detected.