NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY

SI-12(2)Minimize Personally Identifiable Information in Testing, Training, and Research

Use the following techniques to minimize the use of personally identifiable information for research, testing, or training: {{ insert: param, si-12.2_prm_1 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Organizations can minimize the risk to an individual’s privacy by employing techniques such as de-identification or synthetic data. Limiting the use of personally identifiable information throughout the information life cycle when the information is not needed for research, testing, or training helps reduce the level of privacy risk created by a system. Risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to determining the techniques to use and when to use them.

Practitioner Notes

Use anonymized or synthetic data in testing, training, and research environments rather than real PII. Developers and testers do not need real customer data.

Example 1: Create a data masking pipeline that generates realistic but fake data for your test environments. Tools like Redgate Data Masker or custom scripts can replace real names, SSNs, and addresses with plausible fakes while preserving data relationships.

Example 2: In SQL Server, use Dynamic Data Masking or the data masking features in Azure SQL to automatically mask PII when test teams query the database. They see realistic data patterns but not actual PII values.

More System and Information Integrity Controls

SI-1 Policy and Procedures SI-2 Flaw Remediation SI-2(1) Central Management SI-2(2) Automated Flaw Remediation Status