NIST 800-53 r5 · Controls catalogue · Family PM
PM-18Privacy Program Plan
Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and: Includes a description of the structure of the privacy program and the resources dedicated to the privacy program; Provides an overview of the requirements for the privacy program and a description of the privacy program management controls and common controls in place or planned for meeting those requirements; Includes the role of the senior agency official for privacy and the identification and assignment of roles of other privacy officials and staff and their responsibilities; Describes management commitment, compliance, and the strategic goals and objectives of the privacy program; Reflects coordination among organizational entities responsible for the different aspects of privacy; and Is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and Update the plan {{ insert: param, pm-18_odp }} and to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (5)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-862 | Missing Authorization | 8,680 | Requiring a documented, approved set of privacy controls and role responsibilities makes omission of authorization checks for functions that handle personal information far less likely. |
CWE-284 | Improper Access Control | 4,832 | The mandated organization-wide privacy program plan requires identification and assignment of privacy controls (including access restrictions on PII) plus explicit role accountability, directly reducing the likelihood of missing or inconsistently applied access-control mechanisms. |
CWE-863 | Incorrect Authorization | 3,234 | The plan's coordination, role assignment, and control-description requirements reduce the chance that authorization logic for privacy-relevant resources will be implemented inconsistently or incorrectly. |
CWE-285 | Improper Authorization | 1,230 | By requiring documented privacy program management controls, role assignments, and senior-official approval, the control ensures authorization decisions for personal information are planned, coordinated, and periodically updated rather than left ad-hoc. |
CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | 174 | The privacy program plan explicitly addresses protection of personal information, mandating controls and resources that prevent unauthorized exposure of private personal data across the enterprise. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||