NIST 800-53 r5 · Controls catalogue · Family PM
PM-22Personally Identifiable Information Quality Management
Develop and document organization-wide policies and procedures for: Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle; Correcting or deleting inaccurate or outdated personally identifiable information; Disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities; and Appeals of adverse decisions on correction or deletion requests.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (3)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,204 | Policies requiring periodic review and deletion of inaccurate/outdated PII reduce the amount of sensitive information retained and therefore exposed. |
CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | 174 | Organization-wide accuracy, relevance, and deletion rules limit the private personal information available for unauthorized exposure. |
CWE-212 | Improper Removal of Sensitive Information Before Storage or Transfer | 126 | Explicit procedures to delete inaccurate or outdated PII directly mitigate improper removal of sensitive information before storage or transfer. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||