The organization retains each collection of personally identifiable information (PII) for the organization-defined time period to fulfill the purpose(s) identified in the published privacy notice or as required by law.
No STIG checks reference this CCI.