NIST 800-53 r5 · Controls catalogue · Family PT
PT-3Personally Identifiable Information Processing Purposes
Identify and document the {{ insert: param, pt-03_odp.01 }} for processing personally identifiable information; Describe the purpose(s) in the public privacy notices and policies of the organization; Restrict the {{ insert: param, pt-03_odp.02 }} of personally identifiable information to only that which is compatible with the identified purpose(s); and Monitor changes in processing personally identifiable information and implement {{ insert: param, pt-03_odp.03 }} to ensure that any changes are made in accordance with {{ insert: param, pt-03_odp.04 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (5)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-284 | Improper Access Control | 4,832 | Implements purpose-based restrictions that serve as an access control mechanism on PII handling and disclosure. |
CWE-285 | Improper Authorization | 1,230 | Requires authorization decisions for PII processing to be limited to explicitly documented compatible purposes. |
CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | 174 | Restricts PII processing and disclosure to authorized purposes, reducing unauthorized exposure of private personal information. |
CWE-213 | Exposure of Sensitive Information Due to Incompatible Policies | 29 | Directly enforces purpose compatibility and policy alignment for PII processing, preventing exposure from incompatible policies. |
CWE-501 | Trust Boundary Violation | 24 | Defines explicit trust boundaries for PII use via documented purposes and prevents processing outside those boundaries. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||