NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-42(5)Collection Minimization

Employ {{ insert: param, sc-42.05_odp }} that are configured to minimize the collection of information about individuals that is not needed.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Although policies to control for authorized use can be applied to information once it is collected, minimizing the collection of information that is not needed mitigates privacy risk at the system entry point and mitigates the risk of policy control failures. Sensor configurations include the obscuring of human features, such as blurring or pixelating flesh tones.

Practitioner Notes

Minimize the amount of sensor data collected to only what is necessary for the stated purpose — do not collect more than you need.

Example 1: Configure security cameras to record only during non-business hours or in high-security areas, rather than recording everything everywhere 24/7. Reduce retention periods to the minimum needed for your security program.

Example 2: For mobile apps that need location data, use "approximate location" instead of "precise location" when exact coordinates are not needed. Collect location only when the app is in the foreground, not continuously in the background.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability