STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← All Controls

PM-25

Program ManagementRev 5organization

Minimization of Personally Identifiable Information Used in Testing, Training, and Research

Baselines:Privacy

Control Statement

a. Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research; b. Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes; c. Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and d. Review and update policies and procedures [Assignment: organization-defined frequency].

Supplemental Guidance

The use of personally identifiable information in testing, research, and training increases the risk of unauthorized disclosure or misuse of such information. Organizations consult with the senior agency official for privacy and/or legal counsel to ensure that the use of personally identifiable information in testing, training, and research is compatible with the original purpose for which it was collected. When possible, organizations use placeholder data to avoid exposure of personally identifiable information when conducting testing, training, and research.

Related Controls (5)

PM-23PT-3SA-3SA-8SI-12

CCI Identifiers (10)

CCI-004430Authorize the use of personally identifiable information when such information is required for internal testing, training, and research.CCI-004431Review and update policies on an organization-defined frequency.CCI-004433Review and update procedures on an organization-defined frequency.CCI-004434Defines the frequency of which the procedures should be reviewed and updated.CCI-004425Develop and document policies that address the use of personally identifiable information for internal testing, training, and research.CCI-004426Develop and document procedures that address the use of personally identifiable information for internal testing, training, and research.CCI-004427Implement policies that address the use of personally identifiable information for internal testing, training, and research.CCI-004428Implement procedures that address the use of personally identifiable information for internal testing, training, and research.

Linked STIG Checks (0)

No STIG checks reference this control.

CCI-004432Defines the frequency of which the policies should be reviewed and updated.
CCI-004429Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes.