Which references support PL-5 Privacy Impact Assessment?

PIAs are required to identify and address privacy risks in federal information systems, and PL-5 is the control that ensures those assessments are conducted as part of the system life cycle. The authoritative references that establish and implement this requirement come from the E-Government Act, specifically section 208, which mandates privacy impact assessments for information systems handling personal data, and from the OMB guidance that implements those privacy provisions, namely Memorandum M-03-22. These two sources directly articulate the need for a PIA and how it should be carried out, making them the best fit for supporting PL-5. Other references focus on related security and risk activities but not the specific mandate for privacy impact assessments. For example, SP 800-37 covers risk management at a broader level, and OMB M-02-01 addresses information security program guidance, not the privacy impact assessment requirement. Likewise, OMB A‑130 plus SP 800‑18r1, or HSPD‑7 plus SP 800‑34, address security planning, continuity, and infrastructure concerns rather than PIAs.