NIST 800-53 r5 · Controls catalogue · Family PT
PT-8Computer Matching Requirements
When a system or organization processes information for the purpose of conducting a matching program: Obtain approval from the Data Integrity Board to conduct the matching program; Develop and enter into a computer matching agreement; Publish a matching notice in the Federal Register; Independently verify the information produced by the matching program before taking adverse action against an individual, if required; and Provide individuals with notice and an opportunity to contest the findings before taking adverse action against an individual.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (8)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,204 | Reduces unauthorized exposure of sensitive information by requiring formal controls, public notice, and due-process steps around all matching activities. |
CWE-862 | Missing Authorization | 8,680 | Eliminates missing authorization by requiring documented approval and agreements prior to initiating any computer matching program. |
CWE-284 | Improper Access Control | 4,832 | Requires Data Integrity Board approval and formal matching agreements before any cross-system data processing occurs, directly enforcing access control on sensitive matching activities. |
CWE-863 | Incorrect Authorization | 3,234 | Addresses incorrect authorization by requiring independent verification of results and an opportunity to contest before any adverse action is taken. |
CWE-285 | Improper Authorization | 1,230 | Mandates explicit authorization via agreements and board approval, preventing unauthorized or out-of-scope use of personal data in matching programs. |
CWE-345 | Insufficient Verification of Data Authenticity | 643 | Directly requires independent verification of matching output before adverse decisions, mitigating insufficient authenticity checks on data from external sources. |
CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | 174 | Limits exposure of private personal information by restricting matching to approved programs, publishing notices, and allowing individuals to contest findings. |
CWE-807 | Reliance on Untrusted Inputs in a Security Decision | 74 | Prevents reliance on untrusted matching results for security-relevant decisions by enforcing verification and contest procedures. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||