The application server must attach data tags containing organization-defined processing purposes to organization-defined elements of personally identifiable information.

Data tags support the tracking of processing purposes by conveying the purposes along with the relevant elements of personally identifiable information throughout the system. By conveying the processing purposes in a data tag along with the personally identifiable information as the information transits a system, a system owner or operator can identify whether a change in processing would be compatible with the identified and documented purposes. Data tags may also support the use of automated tools. This requirement also applies to Zero Trust initiatives.

Verify the application server is configured to attach data tags containing organization-defined processing purposes to organization-defined elements of personally identifiable information. If the application server does not attach data tags containing organization-defined processing purposes to organization-defined elements of personally identifiable information, this is a finding.

Configure the application server to attach data tags containing organization-defined processing purposes to organization-defined elements of personally identifiable information.