myctrl.tools
Compare

AT-3(5)Processing Personally Identifiable Information

PRIVACY

>Control Description

Provide organization-defined personnel or roles with initial and organization-defined frequency training in the employment and operation of personally identifiable information processing and transparency controls.

>Cross-Framework Mappings

SCF

SAT-03.3
Compare

>Supplemental Guidance

Personally identifiable information processing and transparency controls include the organization's authority to process personally identifiable information and personally identifiable information processing purposes. Role-based training for federal agencies addresses the types of information that may constitute personally identifiable information and the risks, considerations, and obligations associated with its processing. Such training also considers the authority to process personally identifiable information documented in privacy policies and notices, system of records notices, computer matching agreements and notices, privacy impact assessments, PRIVACT statements, contracts, information sharing agreements, memoranda of understanding, and/or other documentation.

>Related Controls

PT-2
PT-3
PT-5
PT-6

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of AT-3(5) (Processing Personally Identifiable Information)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring AT-3(5)?
  • How frequently is the AT-3(5) policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to AT-3(5)?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce AT-3(5) requirements.
  • What automated tools, systems, or technologies are deployed to implement AT-3(5)?
  • How is AT-3(5) integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce AT-3(5) requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of AT-3(5)?
  • What audit logs, records, reports, or monitoring data validate AT-3(5) compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of AT-3(5) effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate AT-3(5) compliance?

Ask AI

Configure your API key to use AI features.