NIST PRIVACY FRAMEWORK: A TOOL FOR IMPROVING PRIVACY THROUGH ENTERPRISE RISK MANAGEMENT, VERSION 1.0 - January 16, 2020

Download NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management, Version 1.0 and csf-pf-to-sp800-53r5-mappings.xlsx (live.com)

EnterpriseGRC Solutions clients and cohorts working with NIST 800-53-R5 and the new FedRAMP V5, as well as those who meet with CCM v4.0 Cloud Security Alliance © 2021,  ISO/IEC 27002:2013 €, ISO/IEC 27001:2013 €, ISO/IEC 27017:2015 € for cloud services, ISO/IEC 27018:2019 € , ISO/IEC 27701:2019 € or TSP 100—2017 Trust Services Criteria, we're ready to align your existing compliance program with NIST CSF, your organic RMF and all of your existing internal programs and policies.

In case you missed it:

Executive Summary
For more than two decades, the Internet and associated information technologies have driven unprecedented innovation, economic value, and improvement in social services. Many of these benefits are fueled by data about individuals that flow through a complex ecosystem. As a result, individuals may not be able to understand the potential consequences for their privacy as they interact with systems, products, and services. At the same time, organizations may not realize the full extent of these consequences for individuals, for society, or for their enterprises, which can affect their brands, their bottom lines, and their future prospects for growth.
Following a transparent, consensus-based process including both private and public stakeholders to produce this voluntary tool, the National Institute of Standards and Technology (NIST) is publishing this Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management (Privacy Framework), to enable better privacy engineering practices that support privacy by design concepts and help organizations protect individuals’ privacy. The Privacy Framework can support organizations in:
• Building customers’ trust by supporting ethical decision-making in product and service design or deployment that optimizes beneficial uses of data while minimizing adverse consequences for individuals’ privacy and society as a whole;1
• Fulfilling current compliance obligations, as well as future-proofing products and services to meet these obligations in a changing technological and policy environment; and
• Facilitating communication about privacy practices with individuals, business partners, assessors, and regulators.
Deriving benefits from data while simultaneously managing risks to individuals’ privacy is not well-suited to one-size-fits-all solutions. Like building a house, where homeowners make layout and design choices while relying on a well-engineered foundation, privacy protection should allow for individual choices, as long as effective privacy risk mitigations are already engineered into products and services. The Privacy Framework—through a risk- and outcome-based approach—is flexible enough to address diverse privacy needs, enable more innovative and effective solutions that can lead to better outcomes for individuals and organizations, and stay current with technology trends, such as artificial intelligence and the Internet of Things.
The Privacy Framework follows the structure of the Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) [1] to facilitate the use of both frameworks together. Like the Cybersecurity Framework, the Privacy Framework is composed of three parts: Core, Profiles, and Implementation Tiers. Each component reinforces privacy risk management through the connection between business and mission drivers, organizational roles and responsibilities, and privacy protection activities.
• The Core enables a dialogue—from the executive level to the implementation/operations level—about important privacy protection activities and desired outcomes.
• Profiles enable the prioritization of the outcomes and activities that best meet organizational 
privacy values, mission or business needs, and risks.
• Implementation Tiers support decision-making and communication about the sufficiency of organizational processes and resources to manage privacy risk.
In summary, the Privacy Framework is intended to help organizations build better privacy foundations by bringing privacy risk into parity with their broader enterprise risk portfolio.
Acknowledgments
This publication is the result of a collaborative effort between NIST and organizational and individual stakeholders in the public and private sectors. In developing the Privacy Framework, NIST has relied upon three public workshops, a request for information (RFI), a request for comment (RFC), five webinars, and hundreds of direct interactions with stakeholders.2 NIST acknowledges and thanks all of those who have contributed to this publication.

1 There is no objective standard for ethical decision-making; it is grounded in the norms, values, and legal expectations in a given society. (Quoted directly from the cover of the standard.)

NIST Privacy Framework Version 1.0 to NIST Special Publication 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations

NIST Privacy Framework Core NIST SP 800-53, Revision 5, Control Relationship of Subcategory to Cybersecurity Framework Key for Column F:
Function Category Subcategory    
  IDENTIFY-P (ID-P): Develop the organizational understanding to manage privacy risk for individuals arising from data processing. Inventory and Mapping (ID.IM-P): Data processing by systems, products, or services is understood and informs the management of privacy risk. ID.IM-P1: Systems/products/services that process data are inventoried. CM-8, CM-12, CM-13, PM-5   The Privacy Framework Subcategory aligns with the Cybersecurity Framework Subcategory, but the text has been adapted for the Privacy Framework. The Privacy Framework Subcategory is identical to the Cybersecurity Framework Subcategory.
ID.IM-P2: Owners or operators (e.g., the organization or third parties such as service providers, partners, customers, and developers) and their roles with respect to the systems/products/services and components (e.g., internal or external) that process data are inventoried. CM-8(4), CM-13  
ID.IM-P3: Categories of individuals (e.g., customers, employees or prospective employees, consumers) whose data are being processed are inventoried. CM-13  
ID.IM-P4: Data actions of the systems/products/services are inventoried. CM-13  
ID.IM-P5: The purposes for the data actions are inventoried. CM-13, PT-1, PT-2, PT-3   
ID.IM-P6: Data elements within the data actions are inventoried. CM-13, PM-5(1), PT-7  
ID.IM-P7: The data processing environment is identified (e.g., geographic location, internal, cloud, third parties). CM-8, CM-12, CM-13  
ID.IM-P8: Data processing is mapped, illustrating the data actions and associated data elements for systems/products/services, including components; roles of the component owners/operators; and interactions of individuals or third parties with the systems/products/services. CM-13  
Business Environment (ID.BE-P): The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform privacy roles, responsibilities, and risk management decisions. ID.BE-P1: The organization’s role(s) in the data processing ecosystem are identified and communicated. SR-1, SR-3  
ID.BE-P2: Priorities for organizational mission, objectives, and activities are established and communicated. PM-11  
ID.BE-P3: Systems/products/services that support organizational priorities are identified and key requirements communicated. RA-9  
Risk Assessment (ID.RA-P): The organization understands the privacy risks to individuals and how such privacy risks may create follow-on impacts on organizational operations, including mission, functions, other risk management priorities (e.g., compliance, financial), reputation, workforce, and culture. ID.RA-P1: Contextual factors related to the systems/products/services and the data actions are identified (e.g., individuals’ demographics and privacy interests or perceptions, data sensitivity and/or types, visibility of data processing to individuals and third parties).  CM-13, PM-5(1), PT-7, RA-3, RA-8  
ID.RA-P2: Data analytic inputs and outputs are identified and evaluated for bias.    
ID.RA-P3: Potential problematic data actions and associated problems are identified.  CM-13, RA-3, RA-8  
ID.RA-P4: Problematic data actions, likelihoods, and impacts are used to determine and prioritize risk. PM-28, RA-2, RA-3, RA-8  
ID.RA-P5: Risk responses are identified, prioritized, and implemented. CA-5, PM-4, PM-9, PM-28, RA-7, RA-8      
Data Processing Ecosystem Risk Management (ID.DE-P): The organization’s priorities, constraints, risk tolerance, and assumptions are established and used to support risk decisions associated with managing privacy risk and third parties within the data processing ecosystem. The organization has established and implemented the processes to identify, assess, and manage privacy risks within the data processing ecosystem. ID.DE-P1: Data processing ecosystem risk management policies, processes, and procedures are identified, established, assessed, managed, and agreed to by organizational stakeholders. PM-30, SA-9, SR-1, SR-2, SR-3, SR-4, SR-5      
ID.DE-P2: Data processing ecosystem parties (e.g., service providers, customers, partners, product manufacturers, application developers) are identified, prioritized, and assessed using a privacy risk assessment process. PM-9, RA-3, RA-8, SA-15, SR-2, SR-3, SR-5, SR-6      
ID.DE-P3: Contracts with data processing ecosystem parties are used to implement appropriate measures designed to meet the objectives of an organization’s privacy program.  SA-4, SA-9, SR-2, SR-3, SR-5, SR-8      
ID.DE-P4: Interoperability frameworks or similar multi-party approaches are used to manage data processing ecosystem privacy risks.         
ID.DE-P5: Data processing ecosystem parties are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual, interoperability framework, or other obligations. AU-6, CA-2, CA-7, PS-7, SA-9, SA-11      
  GOVERN-P (GV-P): Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk. Governance Policies, Processes, and Procedures (GV.PO-P): The policies, processes, and procedures to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of privacy risk. GV.PO-P1: Organizational privacy values and policies (e.g., conditions on data processing such as data uses or retention periods, individuals’ prerogatives with respect to data processing) are established and communicated. all -1 controls      
GV.PO-P2: Processes to instill organizational privacy values within system/product/service development and operations are established and in place. PM-3, PM-23, SA-2, SA-3      
GV.PO-P3: Roles and responsibilities for the workforce are established with respect to privacy.  all -1 controls, CP-2, PM-2, PM-3, PM-13, PM-18, PM-19, PM-29, PS-7, PS-9      
GV.PO-P4: Privacy roles and responsibilities are coordinated and aligned with third-party stakeholders (e.g., service providers, customers, partners). PM-18, PM-19, PM-29      
GV.PO-P5: Legal, regulatory, and contractual requirements regarding privacy are understood and managed. all -1 controls      
GV.PO-P6: Governance and risk management policies, processes, and procedures address privacy risks. PM-3, PM-7, PM-9, PM-10, PM-11, PM-18, PM-19, PM-23, PM-28, RA-1, RA-3, RA-8      
Risk Management Strategy (GV.RM-P): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. GV.RM-P1: Risk management processes are established, managed, and agreed to by organizational stakeholders. PM-9, PM-28      
GV.RM-P2: Organizational risk tolerance is determined and clearly expressed. PM-9      
GV.RM-P3: The organization’s determination of risk tolerance is informed by its role(s) in the data processing ecosystem. PM-28      
Awareness and Training (GV.AT-P): The organization’s workforce and third parties engaged in data processing are provided privacy awareness education and are trained to perform their privacy-related duties and responsibilities consistent with related policies, processes, procedures, and agreements and organizational privacy values. GV.AT-P1: The workforce is informed and trained on its roles and responsibilities.  AT-2, AT-3, AT-3(3), AT-3(5), PM-13, PM-14      
GV.AT-P2: Senior executives understand their roles and responsibilities. AT-3, PM-13      
GV.AT-P3: Privacy personnel understand their roles and responsibilities. AT-3, AT-3(3), AT-3(5), CP-3, IR-2, IR-2(3), PM-13      
GV.AT-P4: Third parties (e.g., service providers, customers, partners) understand their roles and responsibilities. AT-3, PS-7, SA-9      
Monitoring and Review (GV.MT-P): The policies, processes, and procedures for ongoing review of the organization’s privacy posture are understood and inform the management of privacy risk. GV.MT-P1: Privacy risk is re-evaluated on an ongoing basis and as key factors, including the organization’s business environment (e.g., introduction of new technologies), governance (e.g., legal obligations, risk tolerance), data processing, and systems/products/services change. CA-7, CA-7(4), CM-4, CM-13, PM-5(1), RA-3, RA-8      
GV.MT-P2: Privacy values, policies, and training are reviewed and any updates are communicated.  all -1 controls      
GV.MT-P3: Policies, processes, and procedures for assessing compliance with legal requirements and privacy policies are established and in place. CA-2, CA-7, PM-14, PM-31      
GV.MT-P4: Policies, processes, and procedures for communicating progress on managing privacy risks are established and in place. CA-5, PM-4, PM-27      
GV.MT-P5: Policies, processes, and procedures are established and in place to receive, analyze, and respond to problematic data actions disclosed to the organization from internal and external sources (e.g., internal discovery, privacy researchers, professional events). CM-4, PM-15, RA-3, RA-8, SI-19(8)      
GV.MT-P6: Policies, processes, and procedures incorporate lessons learned from problematic data actions. all -1 controls, IR-4      
GV.MT-P7: Policies, processes, and procedures for receiving, tracking, and responding to complaints, concerns, and questions from individuals about organizational privacy practices are established and in place. PM-20, PM-22, PM-26, SI-18      
  CONTROL-P (CT-P): Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks. Data Processing Policies, Processes, and Procedures (CT.PO-P): Policies, processes, and procedures are maintained and used to manage data processing (e.g., purpose, scope, roles and responsibilities in the data processing ecosystem, and management commitment) consistent with the organization’s risk strategy to protect individuals’ privacy. CT.PO-P1: Policies, processes, and procedures for authorizing data processing (e.g., organizational decisions, individual consent), revoking authorizations, and maintaining authorizations are established and in place. PT-1, PT-2, PT-3, PT-4      
CT.PO-P2: Policies, processes, and procedures for enabling data review, transfer, sharing or disclosure, alteration, and deletion are established and in place (e.g., to maintain data quality, manage data retention). AC-1, AC-3(14), CM-9, MP-6, PM-22, PM-23, SI-12, SI-18      
CT.PO-P3: Policies, processes, and procedures for enabling individuals’ data processing preferences and requests are established and in place. AC-1, AC-3(14), PT-1, PT-4, SI-18, PM-22      
CT.PO-P4: A data life cycle to manage data is aligned and implemented with the system development life cycle to manage systems. PL-8, SA-3, SA-4, SA-8, SA-10, SA-11, SA-15, SA-17, SI-12      
Data Processing Management (CT.DM-P): Data are managed consistent with the organization’s risk strategy to protect individuals’ privacy, increase manageability, and enable the implementation of privacy principles (e.g., individual participation, data quality, data minimization).  CT.DM-P1: Data elements can be accessed for review. AC-2, AC-3, AC-3(14), CM-2, CM-3, CM-6, SI-18      
CT.DM-P2: Data elements can be accessed for transmission or disclosure. AC-2, AC-3, AC-4, AC-21, CM-2, CM-3, CM-6, SI-18      
CT.DM-P3: Data elements can be accessed for alteration. AC-2, AC-3, CM-2, CM-3, CM-6, SI-18      
CT.DM-P4: Data elements can be accessed for deletion. AC-2, AC-3, CM-2, CM-3, CM-6, SI-12, SI-18      
CT.DM-P5: Data are destroyed according to policy. MP-6, SI-12(3), SR-12      
CT.DM-P6: Data are transmitted using standardized formats. SI-10, AU-12      
CT.DM-P7: Mechanisms for transmitting processing permissions and related data values with data elements are established and in place. AC-16, PT-2(1), PT-2(2), PT-3(1), PT-3(2), SC-7(24), SI-18(1), SI-18(2), SC-16      
CT.DM-P8: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy and incorporating the principle of data minimization. AU-1, AU-2, AU-3, AU-6, AU-7, AU-12, AU-13, AU-14, AU-16      
CT.DM-P9: Technical measures implemented to manage data processing are tested and assessed. CA-2, CA-7, CM-4(2), SC-16(1), SI-6, SI-19(8)      
CT.DM-P10: Stakeholder privacy preferences are included in algorithmic design objectives and outputs are evaluated against these preferences.        
Disassociated Processing (CT.DP-P): Data processing solutions increase disassociability consistent with the organization’s risk strategy to protect individuals’ privacy and enable implementation of privacy principles (e.g., data minimization). CT.DP-P1: Data are processed to limit observability and linkability (e.g., data actions take place on local devices, privacy-preserving cryptography). AC-23, AU-16(3), IA-8(6), PL-8, PM-7, SA-8(33), SA-17      
CT.DP-P2: Data are processed to limit the identification of individuals (e.g., de-identification privacy techniques, tokenization). AC-23, AU-3(3), IA-4(8), PE-8(3), SA-8(33), SI-12(1), SI-12(2), SI-19      
CT.DP-P3: Data are processed to limit the formulation of inferences about individuals’ behavior or activities (e.g., data processing is decentralized, distributed architectures). AC-23, AU-16(3), IA-8(6), PL-8, PM-7, SA-8(33), SA-17, SC-2(2), SI-19      
CT.DP-P4: System or device configurations permit selective collection or disclosure of data elements.  CM-6, SA-8(33), SC-42(5)      
CT.DP-P5: Attribute references are substituted for attribute values. AC-16, SA-8(33)      
  COMMUNICATE-P (CM-P): Develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding and engage in a dialogue about how data are processed and associated privacy risks. Communication Policies, Processes, and Procedures (CM.PO-P): Policies, processes, and procedures are maintained and used to increase transparency of the organization’s data processing practices (e.g., purpose, scope, roles and responsibilities in the data processing ecosystem, and management commitment) and associated privacy risks. CM.PO-P1: Transparency policies, processes, and procedures for communicating data processing purposes, practices, and associated privacy risks are established and in place. PM-20, PM-27, PT-1, PT-2, PT-3, PT-5, PT-6, RA-8      
CM.PO-P2: Roles and responsibilities (e.g., public relations) for communicating data processing purposes, practices, and associated privacy risks are established. PT-1      
Data Processing Awareness (CM.AW-P): Individuals and organizations have reliable knowledge about data processing practices and associated privacy risks, and effective mechanisms are used and maintained to increase predictability consistent with the organization’s risk strategy to protect individuals’ privacy.  CM.AW-P1: Mechanisms (e.g., notices, internal or public reports) for communicating data processing purposes, practices, associated privacy risks, and options for enabling individuals’ data processing preferences and requests are established and in place. AC-8, PT-5, PM-20, SC-42(4)      
CM.AW-P2: Mechanisms for obtaining feedback from individuals (e.g., surveys or focus groups) about data processing and associated privacy risks are established and in place. PM-15, PM-20, PM-26       
CM.AW-P3: System/product/service design enables data processing visibility. PL-8, PT-5(1), SA-17, SC-42(4)      
CM.AW-P4: Records of data disclosures and sharing are maintained and can be accessed for review or transmission/disclosure. PM-21      
CM.AW-P5: Data corrections or deletions can be communicated to individuals or organizations (e.g., data sources) in the data processing ecosystem. PM-22, SI-18(5)      
CM.AW-P6: Data provenance and lineage are maintained and can be accessed for review or transmission/disclosure. AC-16, PM-21, SC-16, SI-18, SR-4      
CM.AW-P7: Impacted individuals and organizations are notified about a privacy breach or event. IR-1, IR-2(3), IR-4, IR-6, IR-8      
CM.AW-P8: Individuals are provided with mitigation mechanisms (e.g., credit monitoring, consent withdrawal, data alteration or deletion) to address impacts of problematic data actions. IR-7, PT-4(3), SI-18      
  PROTECT-P (PR-P): Develop and implement appropriate data processing safeguards. Data Protection Policies, Processes, and Procedures (PR.PO-P): Security and privacy policies (e.g., purpose, scope, roles and responsibilities in the data processing ecosystem, and management commitment), processes, and procedures are maintained and used to manage the protection of data. PR.PO-P1: A baseline configuration of information technology is created and maintained incorporating security principles (e.g., concept of least functionality). CM-1, CM-2, CM-3, CM-4, CM-5, CM-6, CM-7, CM-9, SA-10      
PR.PO-P2: Configuration change control processes are established and in place. CM-3, CM-4, SA-10      
PR.PO-P3: Backups of information are conducted, maintained, and tested. CP-4, CP-6, CP-9      
PR.PO-P4: Policy and regulations regarding the physical operating environment for organizational assets are met. PE-1      
PR.PO-P5: Protection processes are improved. CA-2, CA-7, CA-8, CP-2, CP-4, IR-3, IR-8, PL-2, PM-6       
PR.PO-P6: Effectiveness of protection technologies is shared. AC-21, CA-7, CP-2, IR-8, SI-4      
PR.PO-P7: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are established, in place, and managed. CP-1, CP-2, CP-7, CP-10, IR-1, IR-7, IR-8, IR-9      
PR.PO-P8: Response and recovery plans are tested. CP-4, IR-3, PM-14      
PR.PO-P9: Privacy procedures are included in human resources practices (e.g., deprovisioning, personnel screening). PS-1, PS-2, PS-3, PS-4, PS-5, PS-6, PS-7, PS-8, PS-9, SA-21      
PR.PO-P10: A vulnerability management plan is developed and implemented. RA-1, RA-3, RA-5, SI-2      
Identity Management, Authentication, and Access Control (PR.AC-P): Access to data and devices is limited to authorized individuals, processes, and devices, and is managed consistent with the assessed risk of unauthorized access. PR.AC-P1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized individuals, processes, and devices. IA-1, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, IA-10, IA-11, IA-12      
PR.AC-P2: Physical access to data and devices is managed. PE-1, PE-2, PE-3, PE-4, PE-5, PE-6, PE-8, PE-9      
PR.AC-P3: Remote access is managed. AC-1, AC-17, AC-19, AC-20, SC-15      
PR.AC-P4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties. AC-1, AC-2, AC-3, AC-5, AC-6, AC-14, AC-16, AC-24      
PR.AC-P5: Network integrity is protected (e.g., network segregation, network segmentation). AC-4, AC-10, SC-7, SC-10, SC-20      
PR.AC-P6: Individuals and devices are proofed and bound to credentials, and authenticated commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks). AC-14, AC-16, IA-1, IA-2, IA-3, IA-4, IA-5, IA-8, IA-9, IA-10, IA-11, IA-12, PE-2, PS-3      
Data Security (PR.DS-P): Data are managed consistent with the organization’s risk strategy to protect individuals’ privacy and maintain data confidentiality, integrity, and availability. PR.DS-P1: Data-at-rest are protected. MP-2, MP-3, MP-4, MP-5, MP-6, MP-7, MP-8, SC-28      
PR.DS-P2: Data-in-transit are protected. SC-8, SC-11      
PR.DS-P3: Systems/products/services and associated data are formally managed throughout removal, transfers, and disposition. CM-8, MP-6, PE-16, PE-20      
PR.DS-P4: Adequate capacity to ensure availability is maintained. AU-4, CP-2, PE-11, SC-5      
PR.DS-P5: Protections against data leaks are implemented. AC-4, AC-5, AC-6, AU-13, PE-19, PS-6, SC-7, SI-4      
PR.DS-P6: Integrity checking mechanisms are used to verify software, firmware, and information integrity. SC-16, SI-7, SI-10      
PR.DS-P7: The development and testing environment(s) are separate from the production environment. CM-2(6)      
PR.DS-P8: Integrity checking mechanisms are used to verify hardware integrity. SA-10      
Maintenance (PR.MA-P): System maintenance and repairs are performed consistent with policies, processes, and procedures. PR.MA-P1: Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools. MA-1, MA-2, MA-3, MA-5, MA-6      
PR.MA-P2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access. MA-4      
Protective Technology (PR.PT-P): Technical security solutions are managed to ensure the security and resilience of systems/products/services and associated data, consistent with related policies, processes, procedures, and agreements. PR.PT-P1: Removable media is protected and its use restricted according to policy. MP-1, MP-2, MP-3, MP-4, MP-5, MP-7, MP-8      
PR.PT-P2: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities. AC-3, CM-7      
PR.PT-P3: Communications and control networks are protected. AC-12, AC-17, AC-18, CP-8, SC-5, SC-7, SC-10, SC-11, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-38, SC-47      
PR.PT-P4: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations. CP-7, CP-8, CP-11, CP-12, CP-13, PE-11, PL-8, SC-6      
Main Menu