NIST 800-53 r5 · Controls catalogue · Family PM
PM-21Accounting of Disclosures
Develop and maintain an accurate accounting of disclosures of personally identifiable information, including: Date, nature, and purpose of each disclosure; and Name and address, or other contact information of the individual or organization to which the disclosure was made; Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (5)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,204 | Requiring detailed, requestable records of every PII disclosure directly aids detection of unauthorized exposures of sensitive information. |
CWE-862 | Missing Authorization | 8,680 | Organizations must be able to justify every disclosure, which makes missing authorization for data release both detectable and operationally costly. |
CWE-284 | Improper Access Control | 4,832 | Accurate accounting of disclosures presupposes and thereby incentivizes proper access-control enforcement; gaps become visible when individuals review their records. |
CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | 174 | The control mandates an auditable trail specifically for private personal information, making unauthorized disclosures of PII more readily discoverable by the affected individual. |
CWE-778 | Insufficient Logging | 23 | Mandating retention and availability of disclosure accounting ensures security-relevant events involving PII release are logged rather than omitted. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||