NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY

SI-18(3)Collection

Collect personally identifiable information directly from the individual.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Individuals or their designated representatives can be sources of correct personally identifiable information. Organizations consider contextual factors that may incentivize individuals to provide correct data versus false data. Additional steps may be necessary to validate collected information based on the nature and context of the personally identifiable information, how it is to be used, and how it was obtained. The measures taken to validate the accuracy of personally identifiable information used to make determinations about the rights, benefits, or privileges of individuals under federal programs may be more comprehensive than the measures taken to validate less sensitive personally identifiable information.

Practitioner Notes

Implement quality controls at the point of PII collection to ensure data is accurate from the start.

Example 1: On data entry forms, validate PII in real time — check email format, validate phone number patterns, use address autocomplete with postal service verification. Catch errors at entry rather than cleaning them up later.

Example 2: For PII collected from external systems via API, implement schema validation that checks required fields, data types, and format constraints before accepting the data. Reject submissions that fail quality checks and return clear error messages.

More System and Information Integrity Controls

SI-1 Policy and Procedures SI-2 Flaw Remediation SI-2(1) Central Management SI-2(2) Automated Flaw Remediation Status