myctrl.tools
Compare

PT-6System Of Records Notice

PRIVACY

>Control Description

For systems that process information that will be maintained in a Privacy Act system of records: a. Draft system of records notices in accordance with OMB guidance and submit new and significantly modified system of records notices to the OMB and appropriate congressional committees for advance review; b. Publish system of records notices in the Federal Register; and c. Keep system of records notices accurate, up-to-date, and scoped in accordance with policy.

>Control Enhancements(2)

PT-6(1)
PT-6(2)

>Cross-Framework Mappings

SOC 2 TSC

P1.1
Compare
P5.1
Compare
P5.2
Compare

SCF

PRI-02.4
Compare

>Supplemental Guidance

The PRIVACT requires that federal agencies publish a system of records notice in the Federal Register upon the establishment and/or modification of a PRIVACT system of records. As a general matter, a system of records notice is required when an agency maintains a group of any records under the control of the agency from which information is retrieved by the name of an individual or by some identifying number, symbol, or other identifier. The notice describes the existence and character of the system and identifies the system of records, the purpose(s) of the system, the authority for maintenance of the records, the categories of records maintained in the system, the categories of individuals about whom records are maintained, the routine uses to which the records are subject, and additional details about the system as described in OMB A-108.

>Related Controls

AC-3
PM-20
PT-2
PT-3
PT-5

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What is the process for developing and maintaining system of records notices (SORNs) and privacy act statements?
  • How does the organization ensure SORNs accurately describe PII systems and practices?
  • Who reviews and approves SORNs and privacy act statements?
  • What is the process for updating SORNs when system practices change?
  • What governance exists for ensuring compliance with Privacy Act notice requirements?

Technical Implementation:

  • What systems generate and maintain SORNs and privacy act statements?
  • How are SORN requirements integrated with system development?
  • What technical controls enforce privacy act statement presentation at collection points?
  • How are SORNs published and made available to the public?

Evidence & Documentation:

  • Provide current System of Records Notices (SORNs) for systems processing PII.
  • Provide evidence of SORN publication in the Federal Register.
  • Provide privacy act statements used at PII collection points.
  • Provide records of SORN reviews and updates.
  • Provide documentation of SORN accuracy validation.

Ask AI

Configure your API key to use AI features.