NIST 800-53 r5 · Controls catalogue · Family RA
RA-8Privacy Impact Assessments
Conduct privacy impact assessments for systems, programs, or other activities before: Developing or procuring information technology that processes personally identifiable information; and Initiating a new collection of personally identifiable information that: Will be processed using information technology; and Includes personally identifiable information permitting the physical or virtual (online) contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more individuals, other than agencies, instrumentalities, or employees of the federal government.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (7)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,204 | The assessment process surfaces design decisions that could expose sensitive (including PII) data to unauthorized actors, prompting controls that reduce such exposure. |
CWE-284 | Improper Access Control | 4,832 | PIAs require evaluation of access control needs for PII, resulting in stronger restrictions that make unauthorized access harder to exploit. |
CWE-532 | Insertion of Sensitive Information into Log File | 1,378 | PIAs detect planned or existing logging of PII and require removal or protection, preventing insertion of sensitive information into logs. |
CWE-285 | Improper Authorization | 1,230 | Conducting PIAs before development forces review and improvement of authorization logic protecting personal data, reducing bypass opportunities. |
CWE-311 | Missing Encryption of Sensitive Data | 552 | Privacy assessments routinely identify the need for encryption of PII, directly lowering the impact of missing encryption weaknesses. |
CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | 174 | PIAs explicitly identify and drive mitigation of risks involving unauthorized exposure or misuse of private personal information before systems or collections are implemented. |
CWE-538 | Insertion of Sensitive Information into Externally-Accessible File or Directory | 84 | The pre-implementation review identifies externally accessible files or directories containing PII and drives access restrictions or removal. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||