NIST 800-53 r5 · Controls catalogue · Family PM
PM-25Minimization of Personally Identifiable Information Used in Testing, Training, and Research
Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research; Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes; Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and Review and update policies and procedures {{ insert: param, pm-25_prm_1 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (3)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,204 | Minimizing PII in testing/training/research directly reduces the volume of sensitive data present in environments where it could be exposed to unauthorized actors. |
CWE-497 | Exposure of Sensitive System Information to an Unauthorized Control Sphere | 314 | Authorization and minimization requirements keep PII out of test/research control spheres that often lack production-grade protections. |
CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | 174 | Explicitly limits use of private personal information (PII) for non-operational purposes, reducing opportunities for its exposure outside production systems. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||