The organization establishes an inventory that contains a listing of all information systems identified as collecting, using, maintaining, or sharing personally identifiable information (PII).
No STIG checks reference this CCI.