NIST 800-53 r5 · Controls catalogue · Family SI
SI-19De-identification
Remove the following elements of personally identifiable information from datasets: {{ insert: param, si-19_odp.01 }} ; and Evaluate {{ insert: param, si-19_odp.02 }} for effectiveness of de-identification.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (3)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,204 | De-identification directly prevents exposure of sensitive/PII data to unauthorized actors when datasets are released or shared. |
CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | 174 | Explicitly targets removal of private personal information (PII) to stop its exposure to unauthorized parties. |
CWE-212 | Improper Removal of Sensitive Information Before Storage or Transfer | 126 | The control implements proper removal of sensitive information before storage or transfer of datasets. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-24146 | 2.0 | 9.8 | 0.0020 | good |