Documente Academic
Documente Profesional
Documente Cultură
Version 1
McLean, VA
Approved for Public Release; Distribution Unlimited. 19-3384
Table of Contents
Introduction ............................................................................................................................. 3
How to Use This Document .................................................................................................... 3
Elements of a Privacy Program ............................................................................................... 3
3.1 Sub-Elements of a Privacy Program ................................................................................ 4
Steps for Completing and Documenting a Privacy Program Analysis ................................... 6
References ............................................................................................................................... 7
Appendix A: Privacy Program Analysis Matrix ............................................................................. 8
5.1.1 Element 1.0: Leadership & Organization .................................................................. 8
5.1.2 Element 2.0: Privacy Risk Management .................................................................. 15
5.1.3 Element 3.0: Engineering & Information Security .................................................. 29
5.1.4 Element 4.0: Incident Response ............................................................................... 32
5.1.5 Element 5.0: Individual Participation, Transparency, & Redress ............................ 35
5.1.6 Element 6.0: Privacy Training & Awareness .......................................................... 41
5.1.7 Element 7.0: Accountability .................................................................................... 44
Appendix B: Summary of Privacy Program Analysis Results ..................................................... 47
2
Introduction
This document provides a framework for developing, implementing, maintaining, and evaluating
privacy programs within organizations. Privacy programs must be comprehensive enough to
address all requirements established by authoritative sources (e.g., laws, regulations, guidance),
and must be supported by written policies, appropriate training, ongoing practices, and
appropriate assessment. This document may be used to assess both the completeness (whether an
organization has identified and implemented all elements of a privacy program), and maturity
level (an evaluation of to what degree practices supporting each element are effective in
achieving their intended purpose) of a privacy program. The framework was developed based not
only on comprehensive research of relevant laws and guidance, but on practices that have been
assessed as effective in many organizations.
This document was developed by members of MITRE’s privacy engineering capability. For
questions or comments regarding the document, please send a message to privacy@mitre.org.
Element Description
1.0: Leadership & Organization Providing organizational support for privacy program priorities and
initiatives
2.0: Privacy Risk Management Using methods and processes to identify, assess, prioritize, and
manage privacy risk, including within IT investment, acquisition,
and contract management processes.
3.0: Engineering & Information Security Incorporating privacy into the enterprise systems engineering
approach and integrating with cybersecurity
4.0: Incident Response Managing and responding to privacy incidents, including breaches
5.0: Individual Participation, Informing data subjects and the public regarding information about
Transparency & Redress individuals the organization collects and uses, and how the public
may pursue inquiries and complaints
1Based on a Federal CIO Council Privacy Committee White Paper entitled Best Practices: Elements of a Federal Privacy
Program, June 30, 2010
3
6.0: Privacy Training & Awareness Establishing and maintaining workforce training and a culture of
privacy awareness
7.0: Accountability Enforcing the responsibility of the organization to implement
privacy principles and requirements and to respond to concerns
expressed by individuals and the general public
5.0
3.0 Individual
1.0 6.0
Engineering 4.0 Participa-
Leadership 2.0 Privacy 7.0 Account-
& Incident tion,
& Organiza- Privacy Risk Management Training & ability
Information Response Transpar-
tion Awareness
Security ency, &
Redress
1.1 2.1 2.9 3.1 4.1 5.1 6.1 7.1
Program Regulations Data Quality Integration Incident Dissemin- Workforce Rules of
Organization Develop- & Integrity into Systems Management ation of Training Behavior
al Structure ment Engineering Procedures Privacy Acknowledge-
Process Program ment
Information
1.2 2.2 2.10 3.2 4.2 5.2 6.2 7.2
Program Privacy PII Cyber- Incident Privacy Privacy Internal &
Design and Policy, Retention, security Notification Notices Awareness External
Strategy Procedures, Disposition, Coordination & Reporting Communica- Reporting
and & tions
Standards Destruction
1.3 2.3 2.11 3.3 4.3 5.3 6.3 7.3
Program PII PII Used in Authority to Response Consent Internal Privacy
Privacy Inventory, Non- Connect Capabilities Online Monitoring and
Principles Categoriza- Operational (ATO) Presence Auditing
tion, & Environ- Analysis
Minimization ments &
Research
1.4 2.4 2.12 3.4 4.4 5.4 7.4
Privacy Project/Initia- Internal Use Privacy High-Impact Manage Incorporate
Program tive Start-Up Control Privacy Complaints Lessons
Governance Consults Selection Incident & Inquiries Learned
Response
Team
1.5 2.5 2.13 3.5 5.5
Privacy Privacy Risk Information Privacy in Individual
Program & Impact Sharing Emerging Access
Management Assess- Technolo-
ments gies
1.6 2.6 2.14 5.6
Resource System of Oversight Amendment,
Management Records and Correction, &
Notice Monitoring Redress
Planning
1.7 2.7 2.15 5.7
Stakeholder Legal Government Public
Coordination Agreements Privacy Facing
Changes Online
Monitoring Presence
1.8 2.8 2.16
Outreach Accounting IT
and of Investment,
Collabor- Disclosures Acquisition,
ation & Contractor
Management
4
2.17
Privacy Risk
& Issue
Tracking
5
Steps for Completing and Documenting a Privacy Program
Analysis
In order to complete a privacy program analysis, the privacy program must complete the
following steps:
Step 1: Review the table in Appendix A, Privacy Program Analysis Matrix. The sub-element
descriptions describe two kinds of program requirements. Most of the sub-elements are
requirements listed in laws and guidance for U.S. federal government agencies, e.g., Office of
Management and Budget (OMB) Memoranda or National Institute of Standards and Technology
(NIST) standards and guidance. The concepts represented are usable by private sector and other
non-federal organizations as well since foundational privacy concepts are the same across
sectors. Other sub-elements identify actions taken by various organizations that have been
necessary to meet and sustain compliance with requirements. This document uses the term
“effective practices” for sub-elements that are necessary but not explicitly required by external
authorities. While, theoretically, organizations may be able to address most requirements without
explicitly addressing or assessing their effective practices, they will find implementing these
practices useful and in most cases critical to effectively managing privacy.
Step 2. For each sub-element listed in the Privacy Program Analysis Matrix in Appendix A,
identify the organization’s current and target levels of maturity. A maturity level is a
characterization of the degree to which a privacy protection has been integrated into the
organization’s infrastructure. The definitions of the five maturity levels used in this Privacy
Maturity Model are provided in Table 3, Privacy Maturity Level Descriptions, below. The
maturity levels are consistent with the Capability Maturity Model Integration (CMMI)2 approach
that is used to create a structure for encouraging productive, efficient behavior throughout an
organization. Document the current and target maturity levels in Appendix A for each sub-
element. Important considerations include:
• For target maturity level, the assessor must select the target level that is as high as the
organization may reasonably be expected to achieve, given its size, resources, the
criticality of its functions, and the risks associated with deficiencies in each sub-element.
• When the privacy program and other organizations share responsibility for a sub-element
of the privacy program, the assessor should record the name of the entity or entities with
which the privacy program shares responsibility in the “Comments” column of the matrix
in Appendix A.
• The “Comments” column should also be used to document any steps taken towards the
next maturity level and any implementation decisions that have been made regarding a
sub-element.
Step 3: The Privacy Maturity Model provides a process to use to identify existing, immediate
risk as well as lower levels of risk. Use the current and target privacy maturity levels recorded in
Appendix A for each sub-element as input for completing the table in Appendix B, Summary of
Privacy Program Analysis Results, to summarize the results of the assessment and provide
priority action items. Instructions for completing the table can be found in Appendix B.
Organizations are advised to address their High Priority items immediately. They may choose to
make a careful, risk-based decision to address other more mature items later in the current year
or in a subsequent year by integrating them into a longer-term plan.
References
• Federal CIO Council Privacy Committee White Paper, Best Practices: Elements of a
Federal Privacy Program, June 30, 2010
• National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53,
Revision 4, Security and Privacy Controls for Federal Information Systems and
Organizations, NIST 800-53 v4, Appendix J, Privacy Controls Catalog, April 2013
• National Institute of Standards and Technology (NIST) Special Publication (SP) 800-122,
Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), April
2010
• OMB Circular A-130, Managing Information as a Strategic Resource, July 27, 2016
7
Appendix A: Privacy Program Analysis Matrix
Use the table below to document the status of each of the sub-elements of a privacy program.
1.1.1 Appoints a senior privacy official (e.g., NIST 800-53 v4, Level 1 Level 1
Chief Privacy Officer) accountable for Appendix J, AR- Level 2 Level 2
developing, implementing, and 1(a); OMB A-130: Level 3 Level 3
maintaining an organization-wide Main Body §
Level 4 Level 4
governance and privacy program to 5(f)(1)(b);
manage privacy risk, including addressing Appendix I § 4(e) Level 5 Level 5
all applicable laws and regulations
regarding the collection, use,
maintenance, sharing, and disposal of
personally identifiable information (PII)
by programs and information systems,
delegating these duties to appropriate
staff as necessary
8
1.1.2 Establishes “top down” executive-level Effective practice Level 1 Level 1
leadership support for the privacy Level 2 Level 2
program from the head of the Level 3 Level 3
organization.
Level 4 Level 4
Level 5 Level 5
1.2.3 Aligns privacy program placement within Effective practice Level 1 Level 1
the organization and leadership in Level 2 Level 2
accordance with the program strategy Level 3 Level 3
Level 4 Level 4
Level 5 Level 5
1.2.2 Determines and documents the legal NIST 800-53 v4, Level 1 Level 1
authority that permits the collection, use, Appendix J, AP-1 Level 2 Level 2
maintenance, and sharing of PII, either Level 3 Level 3
generally or in support of a specific
Level 4 Level 4
program or information system need
Level 5 Level 5
1.2.3 Defines program vision, mission, goals, Effective practice Level 1 Level 1
objectives, and metrics to meet statutory Level 2 Level 2
and regulatory privacy requirements as Level 3 Level 3
well as unique mission needs
Level 4 Level 4
Level 5 Level 5
9
1.2.4 Determines privacy protections that will Effective practice Level 1 Level 1
be implemented to protect individuals Level 2 Level 2
that are not covered under the laws, Level 3 Level 3
regulations, and directives that govern
Level 4 Level 4
the organization’s operations
Level 5 Level 5
1.3.4 Reviews and updates privacy principles Effective practice Level 1 Level 1
periodically Level 2 Level 2
Level 3 Level 3
Level 4 Level 4
Level 5 Level 5
10
1.4.1 Develops, disseminates, and implements NIST 800-53 v4, Level 1 Level 1
operational privacy policies and Appendix J, AR-1(e) Level 2 Level 2
procedures that implement the Level 3 Level 3
organization’s privacy principles and
Level 4 Level 4
govern the appropriate privacy and
security controls for programs, Level 5 Level 5
information systems, or technologies
involving PII
1.4.2 Updates privacy plan,policies, and NIST 800-53 v4, Level 1 Level 1
procedures periodically Appendix J, AR-1(f) Level 2 Level 2
Level 3 Level 3
Level 4 Level 4
Level 5 Level 5
1.6.2 Ensures that the senior privacy official is OMB A-130: Level 1 Level 1
involved in assessing and addressing Main Body § Level 2 Level 2
privacy hiring, training, and professional 5(c)(6) Level 3 Level 3
development needs
Level 4 Level 4
Level 5 Level 5
1.6.5 Ensures that the workforce has the OMB A-130: Level 1 Level 1
appropriate knowledge and skill Main Body § Level 2 Level 2
5(c)(2) Level 3 Level 3
Level 4 Level 4
12
Level 5 Level 5
1.6.6 Allocates ] sufficient budget and staffing NIST 800-53 v4, Level 1 Level 1
and qualified resources to implement Appendix J, AR-1(c) Level 2 Level 2
and operate the organization-wide Level 3 Level 3
privacy program in accordance with the
Level 4 Level 4
program strategy
Level 5 Level 5
13
Level 5 Level 5
14
5.1.2 Element 2.0: Privacy Risk Management
15
Level 5 Level 5
16
2.3.4 Balances the need for OMB A-130: Level 1 Level 1
information collection with the Main Body § 4(g), Level 2 Level 2
privacy risks 4(i), 4(j) Level 3 Level 3
Level 4 Level 4
Level 5 Level 5
2.3.5 Identifies the minimum PII NIST 800-53 v4, Level 1 Level 1
elements that are relevant and Appendix J, DM- Level 2 Level 2
necessary to accomplish the 1(a) Level 3 Level 3
legally authorized purpose of Level 4 Level 4
collection Level 5 Level 5
2.3.7 Limits the collection and NIST 800-53 v4, Level 1 Level 1
retention of PII to the Appendix J, DM- Level 2 Level 2
minimum elements identified 1(b) Level 3 Level 3
for the purposes described in Level 4 Level 4
the notice and for which the Level 5 Level 5
individual has provided consent
2.3.8 Eliminates unnecessary OMB A-130: Level 1 Level 1
collection, maintenance, and Main Body § Level 2 Level 2
use of Social Security numbers 5(f)(1)(f) Level 3 Level 3
Level 4 Level 4
Level 5 Level 5
17
PII, and reduces PII holdings
where possible
2.3.10 Provides each update of the PII NIST 800-53 v4, Level 1 Level 1
inventory to the Appendix J, SE- Level 2 Level 2
CIO,information security 1(b)) Level 3 Level 3
official, or other appropriate Level 4 Level 4
senior official periodically to Level 5 Level 5
support the establishment of
information security
requirements for all new or
modified information systems
containing PII
2.4 Project/Initiative Start-Up
Consults
18
(including for the purposes of
matching), storing,
transmitting, use, and disposal
of PII
2.5.3 For U.S. federal government NIST 800-53 v4, Level 1 Level 1
organizations: Conducts Privacy Appendix J, AR- Level 2 Level 2
Impact Assessments (PIAs) 2(b) Level 3 Level 3
under section 208(b) of the E- Level 4 Level 4
Government Act of 2002, OMB A-130; Main Level 5 Level 5
absent an applicable exception Body § 5(f)(1)(i)
under that section, for and Appendix I §
information systems, programs, 3(f)
or other activities that pose a
privacy risk in accordance with
applicable law, OMB policy, or
any existing organizational
policies and procedures
2.5.4 For U.S. federal government NIST 800-53 v4, Level 1 Level 1
organzations: Establishes a Appendix J, DI- Level 2 Level 2
Data Integrity Board when 2(b) Level 3 Level 3
appropriate to oversee Level 4 Level 4
organizational Computer Level 5 Level 5
Matching Agreements and to
ensure that those agreements
comply with the computer
matching provisions of the
Privacy Act
2.5.5 Strategically integrates privacy Effective practice Level 1 Level 1
documentation, including risk Level 2 Level 2
assessments, into privacy risk Level 3 Level 3
management processes Level 4 Level 4
Level 5 Level 5
19
Level 5 Level 5
2.6.1 For U.S. federal government NIST 800-53 v4, Level 1 Level 1
organizations: Publishes Appendix J, TR- Level 2 Level 2
System of Records Notices 2(a) Level 3 Level 3
(SORNs) in the Federal Register, Level 4 Level 4
subject to required oversight Level 5 Level 5
processes, for systems
containing PII
2.6.2 For U.S. federal government NIST 800-53 v4, Level 1 Level 1
organizations: Keeps SORNs Appendix J, TR- Level 2 Level 2
current and publishes deletion 2(b) Level 3 Level 3
notices when systems are Level 4 Level 4
retired Level 5 Level 5
20
Level 5 Level 5
2.9.1 Confirms to the greatest extent NIST 800-53 v4, Level 1 Level 1
practicable upon collection or Appendix J, DI- Level 2 Level 2
creation of PII, the accuracy, 1(a) Level 3 Level 3
relevance, timeliness, and Level 4 Level 4
completeness of that Level 5 Level 5
information
2.9.2 Collects PII directly from the NIST 800-53 v4, Level 1 Level 1
individual to the greatest Appendix J, DI- Level 2 Level 2
extent practicable 1(b) Level 3 Level 3
Level 4 Level 4
Level 5 Level 5
2.9.3 Checks for, and corrects as NIST 800-53 v4, Level 1 Level 1
necessary, any inaccurate or Appendix J, DI-1(c) Level 2 Level 2
outdated PII used by its Level 3 Level 3
programs or systems in Level 4 Level 4
accordance with organizational Level 5 Level 5
standards
2.9.4 Issues guidelines ensuring and NIST 800-53 v4, Level 1 Level 1
maximizing the quality, utility, Appendix J, DI- Level 2 Level 2
objectivity, and integrity of 1(d) Level 3 Level 3
disseminated information Level 4 Level 4
Level 5 Level 5
21
organization’s statutory and Level 3 Level 3
regulatory privacy Level 4 Level 4
requirements as well as unique Level 5 Level 5
mission needs and privacy
principles
2.10 PII Retention, Disposition, &
Destruction
22
2.11.1 Develops policies and NIST 800-53 v4, Level 1 Level 1
procedures that minimize the Appendix J, DM- Level 2 Level 2
use of PII for testing, training, 3(a) Level 3 Level 3
or research; and for developing Level 4 Level 4
software or programs; piloting Level 5 Level 5
software of programs; and for
use in any other non-
operational environments
2.11.2 Implements controls to protect NIST 800-53 v4, Level 1 Level 1
PII used for testing, training, or Appendix J, DM- Level 2 Level 2
research; and for developing 3(b) Level 3 Level 3
software or programs; piloting Level 4 Level 4
software of programs; and for Level 5 Level 5
use in any other non-
operational environments
2.11.3 Implements privacy protections Effective practice Level 1 Level 1
consistent with human subjects Level 2 Level 2
research protocols Level 3 Level 3
Level 4 Level 4
Level 5 Level 5
2.12.1 Uses PII internally only for the NIST 800-53 v4, Level 1 Level 1
authorized purpose(s) Appendix J, UL-1 Level 2 Level 2
identified in applicable Level 3 Level 3
authorities and/or in public Level 4 Level 4
notices Level 5 Level 5
2.13.1 Evaluates any proposed new NIST 800-53 v4, Level 1 Level 1
instances of sharing PII, Appendix J, UL- Level 2 Level 2
including ad hoc requests, with 2(d) Level 3 Level 3
third parties to assess whether Level 4 Level 4
the sharing is authorized and Level 5 Level 5
23
whether additional or new
public notice is required
2.13.2 Where appropriate, enters into NIST 800-53 v4, Level 1 Level 1
agreements with third parties Appendix J, UL- Level 2 Level 2
that specifically describe the PII 2(b) Level 3 Level 3
covered and specifically Level 4 Level 4
enumerate the purposes for OMB A-130: Level 5 Level 5
which the PII may be used as Appendix I § 3(d)
well as allowable disclosures (if
any) and retention conditions
2.13.3 Shares PII externally, only for NIST 800-53 v4, Level 1 Level 1
the authorized purposes Appendix J, UL- Level 2 Level 2
identified in applicable 2(a) Level 3 Level 3
authorities and/or described in Level 4 Level 4
its notice(s) or for a purpose Level 5 Level 5
that is compatible with those
purposes
2.13.4 Requires organizations OMB A-130: Level 1 Level 1
receiving PII to maintain the PII Appendix I § 3(c) Level 2 Level 2
in an information system with a Level 3 Level 3
particular categorization level Level 4 Level 4
Level 5 Level 5
2.13.5 Monitors, audits, and trains its NIST 800-53 v4, Level 1 Level 1
staff on the authorized sharing Appendix J, UL- Level 2 Level 2
of PII with third parties and on 2(c) Level 3 Level 3
the consequences of Level 4 Level 4
unauthorized use or sharing of Level 5 Level 5
PII
2.13.6 Implements a process to Effective practice Level 1 Level 1
evaluate ad hoc requests for Level 2 Level 2
sharing Level 3 Level 3
Level 4 Level 4
Level 5 Level 5
24
2.14 Oversight and Monitoring
Planning
2.15.1 Monitors privacy laws and NIST 800-53 v4, Level 1 Level 1
policy for changes that affect Appendix J, AR- Level 2 Level 2
the privacy program 1(b) Level 3 Level 3
OMB A-130: Level 4 Level 4
Main Body § Level 5 Level 5
5(f)(1)(c)
25
requirements for contractors Level 4 Level 4
and service providers Level 5 Level 5
2.16.5 Ensures that privacy risks are OMB A-130: Level 1 Level 1
addressed and costs are Main Body § Level 2 Level 2
included in IT capital 5(a)(3)(e)(ii) and Level 3 Level 3
investment plans and 5(d)(3)(e); Level 4 Level 4
budgetary requests Appendix I § Level 5 Level 5
4(b)(2) and 4(e)(6)
2.16.6 Ensures that investment plans OMB A-130: Level 1 Level 1
meet the privacy requirements Appendix I § Level 2 Level 2
appropriate for the life cycle 4(b)(4) Level 3 Level 3
stage of the investment Level 4 Level 4
Level 5 Level 5
26
components that cannot be Appendix I § Level 5 Level 5
protected 3(b)(11)
2.16.9 Includes privacy requirements NIST 800-53 v4, Level 1 Level 1
in contracts and other Appendix J, AR- Level 2 Level 2
acquisition-related documents 3(b) Level 3 Level 3
Level 4 Level 4
OMB A-130: Level 5 Level 5
Appendix I § 3(d),
4(j)(1)
27
Level 4 Level 4
Level 5 Level 5
28
5.1.3 Element 3.0: Engineering & Information Security
3.1.1 Ensures that all resources planning and OMB A-130: Level 1 Level 1
management activities consider privacy Main Body § Level 2 Level 2
throughout the system development life 5(a)(1)(c) Level 3 Level 3
cycle and risks are managed Level 4 Level 4
NIST 800-53 v4, Level 5 Level 5
Appendix J, AR-7
3.1.2 Designs information systems to support NIST 800-53 v4, Level 1 Level 1
privacy by automating privacy controls Appendix J, AR-7 Level 2 Level 2
Level 3 Level 3
Level 4 Level 4
Level 5 Level 5
3.1.3 Limits the capabilities of system to only Effective practice Level 1 Level 1
those functions that support authorized Level 2 Level 2
collection, use, retention, and disclosure Level 3 Level 3
or PII Level 4 Level 4
Level 5 Level 5
29
3.1.4 Includes privacy sections in relevant Effective practice Level 1 Level 1
system development documents (e.g. Level 2 Level 2
requirements documents, interface Level 3 Level 3
control documents) Level 4 Level 4
Level 5 Level 5
3.1.5 Ensures the process for retiring systems Effective practice Level 1 Level 1
adequately addresses privacy Level 2 Level 2
requirements Level 3 Level 3
Level 4 Level 4
Level 5 Level 5
3.2.1 Aligns information privacy principles and Effective practice Level 1 Level 1
activities with cybersecurity processes Level 2 Level 2
and activities Level 3 Level 3
Level 4 Level 4
Level 5 Level 5
30
3.4.1 Designates program management, OMB A-130: Level 1 Level 1
common, information system-specific, Appendix I § Level 2 Level 2
and hybrid privacy controls 4(c)(12) and 4(e)(5) Level 3 Level 3
Level 4 Level 4
Level 5 Level 5
3.4.3 Integrates privacy considerations into the Effective practice Level 1 Level 1
organization’s risk management process Level 2 Level 2
Level 3 Level 3
Level 4 Level 4
Level 5 Level 5
3.5.1 Evaluates privacy considerations for new A-130; Main Body Level 1 Level 1
and emerging technologies as part of the § 5(a)(1)(b) Level 2 Level 2
organization’s technology assessment Level 3 Level 3
and infrastructure planning activities Level 4 Level 4
Level 5 Level 5
31
5.1.4 Element 4.0: Incident Response
4.1.1 Develops and implements a Privacy NIST 800-53 v4, Level 1 Level 1
Incident Response Plan that enables the Appendix J, SE-2(a) Level 2 Level 2
organization to respond promptly to OMB A-130: Level 3 Level 3
privacy incidents, including breaches Appendix I § 4(f)(1), Level 4 Level 4
4(f)(7)-4(f)(8) Level 5 Level 5
CIO Council White
Paper on Best
Practices, Element 4
4.2.1 Provides periodic training and CIO Council White Level 1 Level 1
communications regarding privacy incident Paper on Best Level 2 Level 2
reporting procedures to all members of Practices, Elements Level 3 Level 3
the workforce 4 and 6 Level 4 Level 4
Level 5 Level 5
4.2.2 Provides multiple channels for reporting Effective practice Level 1 Level 1
privacy incidents Level 2 Level 2
32
Level 3 Level 3
Level 4 Level 4
Level 5 Level 5
4.3.4 Ensures that processes are in place to OMB A-130: Level 1 Level 1
verify corrective actions for privacy Appendix I § 4(f)(6) Level 2 Level 2
incidents Level 3 Level 3
Level 4 Level 4
Level 5 Level 5
33
Appendix I § Level 2 Level 2
4(f)(10) Level 3 Level 3
Level 4 Level 4
Level 5 Level 5
4.3.7 Provides an organized and effective NIST 800-53 v4, Level 1 Level 1
response to privacy incidents in Appendix J, SE-2 (b) Level 2 Level 2
accordance with the organizational Privacy Level 3 Level 3
Incident Response Plan Level 4 Level 4
Level 5 Level 5
4.4.1 Defines additional incident response CIO Council White Level 1 Level 1
procedures and roles for responding to Paper on Best Level 2 Level 2
high-impact privacy incidents, including Practices, Element 4 Level 3 Level 3
notification and engagement of senior Level 4 Level 4
leadership with decision-making authority Level 5 Level 5
from relevant offices within the
organization
34
5.1.5 Element 5.0: Individual Participation, Transparency, & Redress
Current Target
Maturity Maturity
Level Level
Comments
1: Ad Hoc 1: Ad Hoc
Sub-
Element Privacy Program Requirements References
2: Defined 2: Defined
• Organization or Role Responsible
3: Consistently 3: Consistently
No. Implemented Implemented • Steps taken towards next maturity level
4: Managed & 4: Managed & • Implementation decisions
Measurable Measurable
5: Optimized 5: Optimized
5.1.1 Ensures that the public has access to NIST 800-53 v4, Level 1 Level 1
information about its privacy activities Appendix J, TR-3(a) Level 2 Level 2
and is able to communicate with its Level 3 Level 3
senior privacy official Level 4 Level 4
Level 5 Level 5
5.2.1 Makes public privacy documentation as NIST 800-53 v4, Level 1 Level 1
required and appropriate Appendix J, TR-1 Level 2 Level 2
Level 3 Level 3
Level 4 Level 4
Level 5 Level 5
5.2.2 Conducts periodic reviews of privacy NIST 800-53 v4, Level 1 Level 1
documentation to ensure it remains Appendix J, AR-2, Level 2 Level 2
current and revises documentation as TR-2 Level 3 Level 3
needed Level 4 Level 4
35
Level 5 Level 5
5.2.3 Provides effective notice to the public NIST 800-53 v4, Level 1 Level 1
and to individuals in plain language prior Appendix J, TR-1(a) Level 2 Level 2
to or at the time of collection regarding: Level 3 Level 3
(i) its activities that impact privacy, Level 4 Level 4
including its collection, use, sharing, Level 5 Level 5
safeguarding, maintenance, and disposal
of PII; (ii) authority for collecting PII; (iii)
the choices, if any, individuals may have
regarding how the organization uses PII
and the consequences of exercising or
not exercising those choices; and (iv) the
ability to access and have PII amended or
corrected if necessary
5.2.4 Describes: (i) the PII the organization NIST 800-53 v4, Level 1 Level 1
collects and the purpose(s) for which it Appendix J, TR-1(b) Level 2 Level 2
collects that information; (ii) how the Level 3 Level 3
organization uses PII internally; (iii) Level 4 Level 4
whether the organization shares PII with Level 5 Level 5
external entities, the categories of those
entities, and the purposes for such
sharing; (iv) whether individuals have the
ability to consent to specific uses or
sharing of PII and how to exercise any
such consent; (v) how individuals may
obtain access to PII; and (vi) how the PII
will be protected
5.2.5 Revises its public notices to reflect NIST 800-53 v4, Level 1 Level 1
changes in practice or policy that affect Appendix J, TR-1(c) Level 2 Level 2
PII or changes in its activities that impact Level 3 Level 3
privacy, before or as soon as practicable Level 4 Level 4
after the change Level 5 Level 5
36
5.2.6 Includes notices (including Privacy Act NIST 800-53 v4, Level 1 Level 1
Statements when required for U.S. Appendix J, TR-2(c) Level 2 Level 2
federal government organzations) on its Level 3 Level 3
forms that collect PII, or on separate Level 4 Level 4
forms that can be retained by individuals, Level 5 Level 5
to provide additional formal notice to
individuals from whom the information is
being collected
5.3 Consent
5.3.1 Provides means, where feasible and NIST 800-53 v4, Level 1 Level 1
appropriate, for individuals to authorize Appendix J, IP-1(a) Level 2 Level 2
the collection, use, maintaining, and Level 3 Level 3
sharing of PII prior to its collection Level 4 Level 4
Level 5 Level 5
5.3.2 Provides appropriate means for NIST 800-53 v4, Level 1 Level 1
individuals to understand the Appendix J, IP-1(b) Level 2 Level 2
consequences of decisions to approve or Level 3 Level 3
decline the authorization of the Level 4 Level 4
collection, use, dissemination, and Level 5 Level 5
retention of PII
5.3.3 Obtains consent, where feasible and NIST 800-53 v4, Level 1 Level 1
appropriate, from individuals prior to any Appendix J, IP-1(c) Level 2 Level 2
new uses or disclosure of previously Level 3 Level 3
collected PII Level 4 Level 4
Level 5 Level 5
5.3.4 Ensures that individuals are aware of NIST 800-53 v4, Level 1 Level 1
and, where feasible, consent to all uses Appendix J, IP-1(d) Level 2 Level 2
of PII not initially described in the public Level 3 Level 3
notice that was in effect at the time the Level 4 Level 4
organization collected the PII Level 5 Level 5
37
5.4 Manage Complaints & Inquiries
5.4.1 Implements a process for receiving, NIST 800-53 v4, Level 1 Level 1
managing, and responding to complaints, Appendix J, IP Level 2 Level 2
concerns, or questions from individuals -4 Level 3 Level 3
about the organizational privacy CIO Council Level 4 Level 4
practices, tracking through to resolution Level 5 Level 5
and closure
5.5.1 Provides individuals the ability to have NIST 800-53 v4, Level 1 Level 1
access to their PII maintained in its Appendix J, IP-2(a) Level 2 Level 2
system(s) Level 3 Level 3
Level 4 Level 4
Level 5 Level 5
5.5.2 For U.S. federal government NIST 800-53 v4, Level 1 Level 1
organizations: Publishes rules and Appendix J, IP-2(b) Level 2 Level 2
regulations governing how individuals Level 3 Level 3
may request access to records Level 4 Level 4
maintained in a Privacy Act system of Level 5 Level 5
records
5.2.3 For U.S. federal government NIST 800-53 v4, Level 1 Level 1
organzations: Publishes access Appendix J, IP-2(c) Level 2 Level 2
procedures in System of Records Notices Level 3 Level 3
(SORNs) Level 4 Level 4
Level 5 Level 5
5.2.4 For U.S. federal government NIST 800-53 v4, Level 1 Level 1
organizations: Adheres to Privacy Act Appendix J, IP-2(d) Level 2 Level 2
requirements and OMB policies and Level 3 Level 3
guidance for the proper processing of Level 4 Level 4
Privacy Act requests Level 5 Level 5
38
5.2.5 Provides access procedures in relevant Effective practice Level 1 Level 1
spoken languages where applicable Level 2 Level 2
Level 3 Level 3
Level 4 Level 4
Level 5 Level 5
5.6.1 Provides a process for individuals to have NIST 800-53 v4, Level 1 Level 1
inaccurate PII maintained by the Appendix J, IP-3(a) Level 2 Level 2
organization corrected or amended, as Level 3 Level 3
appropriate Level 4 Level 4
Level 5 Level 5
5.6.2 Establishes a process for disseminating NIST 800-53 v4, Level 1 Level 1
corrections or amendments of the PII to Appendix J, IP-3(b) Level 2 Level 2
other authorized users of the PII within a Level 3 Level 3
reasonable timeframe, such as external Level 4 Level 4
information-sharing partners and, where Level 5 Level 5
feasible and appropriate, notifies
affected individuals that their
information has been corrected or
amended
5.6.3 Documents and communicates reasons NIST 800-53 v4, Level 1 Level 1
for denying amendment, correction, or Appendix J, IP-3 Level 2 Level 2
redress Supplemental Level 3 Level 3
Guidance Level 4 Level 4
Effective practice Level 5 Level 5
39
5.6.4 Implements and makes public in relevant Effective practice Level 1 Level 1
spoken languages where applicable Level 2 Level 2
procedures for requesting redress Level 3 Level 3
Level 4 Level 4
Level 5 Level 5
5.6.5 Implements measure granted for redress Effective practice Level 1 Level 1
within a reasonable timeframe Level 2 Level 2
Level 3 Level 3
Level 4 Level 4
Level 5 Level 5
5.7.1 Ensures that its privacy practices are NIST 800-53 v4, Level 1 Level 1
publicly available through organizational Appendix J, TR-3(b) Level 2 Level 2
websites or otherwise Level 3 Level 3
Level 4 Level 4
Level 5 Level 5
5.7.2 Maintains and posts privacy policies on OMB A-130: Level 1 Level 1
websites, mobile applications, and other Main Body § Level 2 Level 2
digital services 5(f)(1)(j) Level 3 Level 3
Level 4 Level 4
Level 5 Level 5
40
5.1.6 Element 6.0: Privacy Training & Awareness
6.1.2 Ensures that privacy training is consistent OMB A-130: Level 1 Level 1
with applicable policies, standards, and Appendix I § Level 2 Level 2
guidelines 4(h)(2) Level 3 Level 3
Level 4 Level 4
Level 5 Level 5
41
6.1.4 Develops, implements, and updates a NIST 800-53 v4, Level 1 Level 1
comprehensive training and awareness Appendix J, AR-5(a) Level 2 Level 2
strategy aimed at ensuring that Level 3 Level 3
personnel understand privacy Level 4 Level 4
responsibilities and procedures Level 5 Level 5
6.1.5 Administers basic privacy training and OMB A-130: Level 1 Level 1
targeted, role-based privacy training for Appendix I § Level 2 Level 2
personnel having responsibility for 4(h)(4), 4(h)(5) Level 3 Level 3
personally identifiable information (PII) NIST 800-53 v4, Level 4 Level 4
at least annually Appendix J, AR- Level 5 Level 5
5(b)
6.1.6 Tracks and reports completion of CIO Council white Level 1 Level 1
mandatory annual privacy training Paper on Best Level 2 Level 2
commensurate with professional Practices, Element Level 3 Level 3
responsibilities 6 Level 4 Level 4
Level 5 Level 5
6.2.1 Supplements training with activities that NIST 800-53 v4, Level 1 Level 1
reinforce the workforce’s understanding Appendix J, AR-5 Level 2 Level 2
of privacy expectations (implicit in Level 3 Level 3
Supplemental Level 4 Level 4
Guidance) Level 5 Level 5
42
6.3 Internal Online Presence
43
5.1.7 Element 7.0: Accountability
7.1.1 Ensures that personnel read and certify OMB A-130: Level 1 Level 1
(manually or electronically) acceptance Appendix I § Level 2 Level 2
of responsibilities for privacy 4(h)(7) Level 3 Level 3
requirements in rules of behavior at least NIST 800-53 v4, Level 4 Level 4
annually Appendix J, AR-5(c) Level 5 Level 5
44
mandates and to senior management
and other personnel with responsibility
for monitoring privacy program
performance and compliance
7.3 Privacy Monitoring and Auditing
7.3.2 Monitors and audits privacy controls and NIST 800-53 v4, Level 1 Level 1
internal privacy policy to ensure effective Appendix J, AR-4 Level 2 Level 2
implementation OMB A-130: Level 3 Level 3
Appendix I § Level 4 Level 4
3(b)(6), 4(c)(13)- Level 5 Level 5
4(c)(14), and
4(e)(3)
7.3.3 Develops and maintains a privacy OMB A-130: Level 1 Level 1
continuous monitoring strategy and a Appendix I § Level 2 Level 2
privacy continuous monitoring program 4(d)(9), 4(d)(10)- Level 3 Level 3
4(d)(11), and Level 4 Level 4
4(e)(2) Level 5 Level 5
7.3.5 Corrects deficiencies that are identified OMB A-130: Level 1 Level 1
in information systems Appendix I § Level 2 Level 2
4(c)(15) and 4(k) Level 3 Level 3
Level 4 Level 4
Level 5 Level 5
7.3.6 Assesses the senior privacy official’s Effective practice Level 1 Level 1
performance with regard to the Level 2 Level 2
effectiveness of the privacy program Level 3 Level 3
Level 4 Level 4
Level 5 Level 5
45
7.4 Incorporate Lessons Learned
7.4.1 Evaluates privacy risks, complaints, and Effective practice Level 1 Level 1
incidents to identify knowledge gaps in Level 2 Level 2
the workforce or other privacy issues and Level 3 Level 3
uses this data to update policies, Level 4 Level 4
procedures, business processes, Level 5 Level 5
standards, and training
46
Appendix B: Summary of Privacy Program Analysis Results
Use the current and target privacy maturity levels recorded in Appendix A for each sub-element as input for completing the table below to
summarize the results of the privacy program analysis and identify each item as low, medium, or high priority to be addressed. Items that
are already optimized should be designated as “Complete.” Each item should be integrated into the organization’s privacy plan and tracked
as part of monitoring the privacy program’s performance.
PRIORITY TO ADDRESS
Sub- Privacy Program Requirements High Medium Low Complete Comments
Element (Already
No. Optimized)
1.0 Leadership & Organization
1.1 Program Organizational Structure
1.2 Program Design and Strategy
1.3 Program Privacy Principles
1.4 Privacy Program Governance
1.5 Privacy Program Management
1.6 Resource Management
1.7 Stakeholder Coordination
1.8 Outreach & Collaboration
2.0 Privacy Risk Management
2.1 Regulations Development
2.2 Privacy Policy, Procedures, and Standards
2.3 PII Inventory, Categorization, & Minimization
2.4 Project/Initiative Start-Up Consults
47
PRIORITY TO ADDRESS
Sub- Privacy Program Requirements High Medium Low Complete Comments
Element (Already
No. Optimized)
2.5 Privacy Risk & Impact Assessments
2.6 System of Records Notice
2.7 Legal Agreements
2.8 Accounting of Disclosures
2.9 Data Quality & Integrity
2.10 PII Retention, Disposition, & Destruction
2.11 PII Used in Non-Operational Environments & Research
2.12 Internal Use
2.13 Information Sharing
2.14 Oversight and Monitoring Planning
2.15 Government Privacy Changes Monitoring
2.16 IT Investment, Acquisition, & Contractor Management
2.17 Privacy Risk & Issue Tracking
3.0 Engineering & Information Security
3.1 Integration into Systems Engineering Process
3.2 Cybersecurity Coordination
3.3 Authority to Connect (ATO) Analysis
3.4 Privacy Control Selection
3.5 Privacy in Emerging Technologies
4.0 Incident Response
4.1 Incident Management Procedures
4.2 Incident Notification & Reporting
4.3 Response Capabilities
4.4 High-Impact Privacy Incident Response Team
5.0 Individual Participation, Transparency & Redress
5.1 Dissemination of Privacy Program Information
5.2 Privacy Notices
5.3 Consent
5.4 Manage Complaints & Inquiries
5.5 Individual Access
5.7 Public Facing Online Presence
48
PRIORITY TO ADDRESS
Sub- Privacy Program Requirements High Medium Low Complete Comments
Element (Already
No. Optimized)
6.0 Privacy Training & Awareness
6.1 Workforce Training
6.2 Privacy Awareness Communications
6.3 Internal Online Presence
7.0 Accountability
7.1 Rules of Behavior Acknowledgement
7.2 Internal & External Reporting
7.3 Privacy Monitoring and Auditing
7.4 Incorporate Lessons Learned
49