NIST 800-53 r5 · Controls catalogue · Family SI
SI-18Personally Identifiable Information Quality Operations
Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle {{ insert: param, si-18_prm_1 }} ; and Correct or delete inaccurate or outdated personally identifiable information.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (4)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,204 | Regular deletion of inaccurate or outdated PII directly reduces the volume of sensitive information retained that could be exposed. |
CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | 174 | Targeted operations on PII accuracy, timeliness, and deletion reduce the risk of private personal information remaining available for unauthorized exposure. |
CWE-212 | Improper Removal of Sensitive Information Before Storage or Transfer | 126 | The explicit requirement to delete inaccurate/outdated PII implements proper removal of sensitive information before further storage or transfer. |
CWE-226 | Sensitive Information in Resource Not Removed Before Reuse | 30 | Periodic quality checks and deletion ensure sensitive PII is removed from resources prior to reuse or retention beyond its valid lifetime. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||