NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-3(2) — Use of Live or Operational Data

Approve, document, and control the use of live data in preproduction environments for the system, system component, or system service; and Protect preproduction environments for the system, system component, or system service at the same impact or classification level as any live data in use within the preproduction environments.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Live data is also referred to as operational data. The use of live or operational data in preproduction (i.e., development, test, and integration) environments can result in significant risks to organizations. In addition, the use of personally identifiable information in testing, research, and training increases the risk of unauthorized disclosure or misuse of such information. Therefore, it is important for the organization to manage any additional risks that may result from the use of live or operational data. Organizations can minimize such risks by using test or dummy data during the design, development, and testing of systems, system components, and system services. Risk assessment techniques may be used to determine if the risk of using live or operational data is acceptable.

Practitioner Notes

Using live or operational data in development and test environments creates risk. If test environments are breached, real customer or employee data is exposed. Use synthetic data whenever possible.

Example 1: Establish a policy that prohibits using production data in non-production environments without approval and data masking. When testing requires realistic data, use tools like Redgate Data Masker or Faker to generate synthetic data that matches production structure without containing real PII.

Example 2: In Azure SQL, use Dynamic Data Masking on any production data copied to test environments. Configure masking rules that replace names, SSNs, emails, and financial data with randomized equivalents. This lets developers test with realistic data structures without exposing real information.