Cyber Posture

NIST 800-53 r5 · Controls catalogue · Family PT

PT-5Privacy Notice

Provide notice to individuals about the processing of personally identifiable information that: Is available to individuals upon first interacting with an organization, and subsequently at {{ insert: param, pt-05_odp.01 }}; Is clear and easy-to-understand, expressing information about personally identifiable information processing in plain language; Identifies the authority that authorizes the processing of personally identifiable information; Identifies the purposes for which personally identifiable information is to be processed; and Includes {{ insert: param, pt-05_odp.02 }}.

Last updated: 09 May 2026 03:25 UTC

Implementations targeting this control (0)

ATT&CK techniques this control mitigates (0)

Weaknesses this control addresses (3)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-284Improper Access Control4,832Requiring explicit identification of the authorizing authority and processing purposes in a publicly available notice increases accountability and makes covert improper access control decisions harder to sustain.
CWE-285Improper Authorization1,230Mandating disclosure of the specific authority that authorizes PII processing and the exact purposes directly surfaces authorization decisions, reducing the viability of hidden or improper authorization.
CWE-359Exposure of Private Personal Information to an Unauthorized Actor174Clear, plain-language notice of PII processing authority, purposes, and scope creates transparency that makes unauthorized exposure of private personal information more likely to be detected and challenged by individuals.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
No CVEs annotated to this control yet — the per-CVE backfill is in progress.

Other controls in family PT

PT-1 PT-2 PT-3 PT-4 PT-6 PT-7 PT-8