NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-42(2)Authorized Use

Employ the following measures so that data or information collected by {{ insert: param, sc-42.01_odp }} is only used for authorized purposes: {{ insert: param, sc-42.02_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Information collected by sensors for a specific authorized purpose could be misused for some unauthorized purpose. For example, GPS sensors that are used to support traffic navigation could be misused to track the movements of individuals. Measures to mitigate such activities include additional training to help ensure that authorized individuals do not abuse their authority and, in the case where sensor data is maintained by external parties, contractual restrictions on the use of such data.

Practitioner Notes

Only use sensor capabilities for authorized purposes — define and document what sensor data is collected, why, and who can access it.

Example 1: Publish a clear policy stating that security cameras are used only for physical security and not for monitoring employee performance. Define retention periods (30 days) and who can request footage review.

Example 2: If your mobile app collects location data, document the specific business purpose (like field service dispatching) and ensure the app only collects location data when actively in use — not continuously in the background.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability