CM-13—Data Action Mapping
>Control Description
>Cross-Framework Mappings
>Supplemental Guidance
Data actions are system operations that process personally identifiable information. The processing of such information encompasses the full information life cycle, which includes collection, generation, transformation, use, disclosure, retention, and disposal. A map of system data actions includes discrete data actions, elements of personally identifiable information being processed in the data actions, system components involved in the data actions, and the owners or operators of the system components.
Understanding what personally identifiable information is being processed (e.g., the sensitivity of the personally identifiable information), how personally identifiable information is being processed (e.g., if the data action is visible to the individual or is processed in another part of the system), and by whom (e.g., individuals may have different privacy perceptions based on the entity that is processing the personally identifiable information) provides a number of contextual factors that are important to assessing the degree of privacy risk created by the system. Data maps can be illustrated in different ways, and the level of detail may vary based on the mission and business needs of the organization. The data map may be an overlay of any system design artifact that the organization is using.
The development of this map may necessitate coordination between the privacy and security programs regarding the covered data actions and the components that are identified as part of the system.
>Related Controls
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What formal policies and procedures govern the implementation of CM-13 (Data Action Mapping)?
- •Who are the designated roles responsible for implementing, maintaining, and monitoring CM-13?
- •How frequently is the CM-13 policy reviewed and updated, and what triggers policy changes?
- •What training or awareness programs ensure personnel understand their responsibilities related to CM-13?
Technical Implementation:
- •Describe the specific technical mechanisms or controls used to enforce CM-13 requirements.
- •What automated tools, systems, or technologies are deployed to implement CM-13?
- •How is CM-13 integrated into your system architecture and overall security posture?
- •What configuration settings, parameters, or technical specifications enforce CM-13 requirements?
Evidence & Documentation:
- •What documentation demonstrates the complete implementation of CM-13?
- •What audit logs, records, reports, or monitoring data validate CM-13 compliance?
- •Can you provide evidence of periodic reviews, assessments, or testing of CM-13 effectiveness?
- •What artifacts would you present during a FedRAMP assessment to demonstrate CM-13 compliance?
Ask AI
Configure your API key to use AI features.