The reality of security and data protection controls is that control implementation equates to an incurred cost by an organization, so it makes financial sense for organizations to understand where controls must be implemented to avoid “blanket coverage” for implementing controls that could be cost-prohibitive. Scoping should be considered a fiduciary responsibility.

This document refers to both sensitive and regulated data as “sensitive data” to simplify terminology. The concept of sensitive data is applicable to the following data types:

  • Controlled Unclassified Information (CUI)

  • Personally Identifiable Information (PII)

  • Cardholder Data (CHD)

  • Attorney-Client Privilege Information (ACPI)

  • Export-Controlled Data (ITAR / EAR)

  • Federal Contract Information (FCI)

  • Protected Health Information (PHI)

  • Intellectual Property (IP)

  • Student Educational Records (FERPA)

  • Critical Infrastructure Information (CII)

The model described in this document utilizes eight (8) zones to categorize system components, based on the interaction with sensitive data. This model highlights the different types of risks associated with each zone. This approach makes it evident which systems, applications and services must be appropriately protected, due to the risk posed to sensitive data. The Sensitive Data Environment (SDE) encompasses the people, processes and technologies that store, process and transmit sensitive data:

  • Store – When sensitive data is inactive or at rest (e.g., located on electronic media, system component memory, paper)

  • Process – When sensitive data is actively being used by a system component (e.g., entered, edited, manipulated, printed, viewed)

  • Transmit – When sensitive data is being transferred from one location to another (e.g., data in motion).

   Controlled Unclassified Information (CUI) for NIST 800-171 & CMMC   

If you are unsure what CUI data is, you are highly-encouraged to visit the US government’s authoritative source on CUI, the US Archive’s CUI Registry - https://www.archives.gov/cui/registry/category-list. However to help prevent making everything CUI, per Section 3(b) of Executive Order 13556, "if there is significant doubt about whether information should be designated as CUI, it shall not be so designated."

 

DFARS 252.204-7012 establishes the need to protect CUI by providing "adequate” protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information. This DFARS clause requires compliance with NIST SP 800-171 on all “Covered Contractor Information Systems.”

  • Covered Contractor Information System (CCIS) means an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits “Covered Defense Information.”

  • Covered Defense Information (CDI) means unclassified "Controlled Technical Information" or other information, as described in sensitive data Registry.

  • Controlled Technical Information (CTI) means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.

 

Examples of technical information include, but are not limited to:

  • Research and engineering data

  • Engineering drawings

  • Associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and

  • Computer software executable code and source code.

 

SP 800-171 requires private companies to protect the confidentiality of CUI where it is stored, transmitted and/or processed. The CUI requirements within NIST SP 800-171 are directly linked to NIST SP 800-53 MODERATE baseline controls and are intended for use by federal agencies in contracts or other agreements established between those agencies and government/DoD contractors.

 

For the Defense Industrial Base (DIB), on top of NIST SP 800-171 controls, DFARS 252.204-7021 requires defense contractors to also obtain certification with the Cybersecurity Maturity Model Certification (CMMC) model. 

   Controlled Unclassified Information (CUI) for NIST 800-171 & CMMC   

FCI is a very broad data classification category. Federal Acquisition Regulation (FAR) 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, lists fifteen (15) cybersecurity requirements. These requirements form the basis of CMMC Level 1 practices.

 

Per FAR 52.204-21, FCI is defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.”

 

FCI includes any communication or representation of knowledge such as:

  • Facts;

  • Data; and

  • Opinions.

 

FCI can be in any medium or form, including:

  • Textual;

  • Numerical;

  • Graphic;

  • Cartographic;

  • Narrative; or

  • Audiovisual.

   Personally Identifiable Information (PII) / Personal Information (PI) / Personal Data (PD)  

The concept of “personally identifiable information” is a nebulous, due to conflicting definitions from various laws, regulations and frameworks. The key concept to keep in mind is that not all PII is sensitive, such as an individual’s name in conjunction with a photo, which can be found on sources that range from social networking sites to identification cards. When an individual’s name is tied to other relevant information that could lead to criminal activity (e.g., identity theft, stalking, kidnapping, etc.) or discrimination, that is when the information becomes sensitive data.

 

In the examples below, various definitions of PII / PI / PD are shown to demonstrate the significant differences between authoritative sources, so it is the responsibility of every organization to conduct appropriate due diligence to establish the context for what PII / PI / PD is specific to the organization’s unique business case:

 

US – Federal Government

The US Government’s Office of Management and Budget (OMB) Memorandum M-07-16 refers to PII as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.”

 

US – State Government

The California Consumer Privacy Act (CCPA) leverages CA Civil Code 1798.81.5 to identify instances where reasonable security practices must exist to protect sensitive personal information from unauthorized access, destruction, use, modification, or disclosure. While 1798.81.5 refers to this as “personal information” the CCPA definitions are targeted towards “sensitive personally identifiable information” where the 1798.81.5 definition includes:

  • An individual’s first name or first initial and the individual’s last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:

    • Social security number.

    • Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.

    • Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

    • Medical information.

    • Health insurance information.

    • Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes.

  • A username or email address in combination with a password or security question and answer that would permit access to an online account.

 

European Union (EU)

Article 4, Section 1 of the EU General Data Protection Regulation (GDPR) defines “personal data” as:

  • Any information relating to an identified or identifiable natural person (‘data subject’);

  • An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as:

    • A name;

    • An identification number;

    • Location data;

    • An online identifier; or

    • To one or more factors specific to the:

      • Physical;

      • Physiological;

      • Genetic;

      • Mental;

      • Economic;

      • Cultural; or

      • Social identity of that natural person.

   Protected Health Information (PHI)  

Per 45 CFR § 160.103, PHI is defined as individually identifiable health information:

  1. Except as provided in paragraph (2) of this definition, that is:

    1. Transmitted by electronic media;

    2. Maintained in electronic media; or

    3. Transmitted or maintained in any other form or medium.

  2. Protected health information excludes individually identifiable health information:

    1. In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;

    2. In records described at 20 U.S.C. 1232g(a)(4)(B)(iv);

    3. In employment records held by a covered entity in its role as employer; and

    4. Regarding a person who has been deceased for more than 50 years.

   Cardholder Data (CHD)  

Per the PCI Security Standards Council, CHD is defined (at a minimum) as the full Primary Account Number (PAN). CHD may also appear in the form of the full PAN plus any sensitive authentication data, including:

  • Cardholder name; and

  • Expiration date and/or service code.

   Intellectual Property (IP)  

Not all IP is equally valued by organizations, so it is important for organization to develop a data classification scheme to appropriately protect its IP. Data classification schemes allow an organization to prioritize controls around “crown jewels” IP that are essential to the viability of its business model, as compared to low value IP that requires less-stringent security protections.

 

Per the World Trade Organization (WTO), IP can be defined in several ways:

  • Copyright and rights related to copyright (e.g., literary and artistic works); and

  • Industrial property:

    • Trademarks;

    • Patents;

    • Industrial designs; and

    • Trade secrets.

   Attorney-Client Privilege Information (ACPI)  

ACPI is information between a client and his/her attorney, which may include other forms of sensitive information pertaining to the legal advice being sought (e.g., IP, CUI, FCI, PHI, PII, ITAR, etc.).

 

Per rule 1.6(c) of the American Bar Association’s Model Rules of Professional Conduct, an attorney “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

 

Per Cornell Law School’s Legal Information Institute:

  • Attorney-client privilege refers to “a legal privilege that works to keep confidential communications between an attorney and his or her client secret. The privilege is asserted in the face of a legal demand for the communications, such as a discovery request or a demand that the lawyer testify under oath.”

  • The work product doctrine refers to data protections, where “an adverse party generally may not discover or compel disclosure of written or oral materials prepared by or for an attorney in the course of legal representation, especially in preparation for litigation.”

   Student Educational Records (FERPA)  

Per 34 CFR § 99.3, an "education record" is defined as records that are:

  • Directly related to a student; and

  • Maintained by an educational agency or institution or by a party acting for the agency or institution.

   Export-Controlled Data (ITAR / EAR)  

Per 15 CFR § 730-774, the U.S. Department of Commerce regulates the export of “dual-use” items according to the Export Administration Regulations (EAR). EAR items include goods and related technology, including technical data and technical assistance, which are designed for commercial purposes, but which could have military applications.

The list of EAR-controlled items, commonly referred to as the Commerce Control List (CCL). The CCL categorizes these covered items into 10 broad categories:

  1. Nuclear Materials, Facilities and Equipment, and Miscellaneous;

  2. Materials, Chemicals, Microorganisms, and Toxins;

  3. Materials Processing;

  4. Electronics;

  5. Computers;

  6. Telecommunications and Information Security;

  7. Lasers and Sensors;

  8. Navigation and Avionics;

  9. Marine; and

  10. Propulsion Systems, Space Vehicles, and Related Equipment.

 

EAR covers a broad range of categories:

  • “Technical Data” may take forms such as:

    • Blueprints;

    • Plans;

    • Diagrams;

    • Models;

    • Formulae

    • Tables;

    • Engineering designs and specifications; and

    • Manuals and instructions.

  • “Technical Assistance” may take forms such as:

    • Instruction;

    • Skills training; and

    • Consulting services.

 

Within EAR, there are country-specific restrictions:

  • D:1 (National Security)

  • D:2 (Nuclear)

  • D:3 (Chemical & Biological)

  • D:4 (Missile Technology)

  • D:5 (US Arms Embargoed Countries)

  • E:1 (Terrorist Supporting Countries)

  • E:2 (Unilateral Embargo)

   Critical Infrastructure Information (CII)  

Per Section 671(3) of the Critical Infrastructure Information Act of 2002 (6 U.S.C. 131(3)), CII is defined as information not customarily in the public domain and related to the security of critical infrastructure or protected systems:

  1. Actual, potential, or threatened interference with, attack on, compromise of, or incapacitation of critical infrastructure or protected systems by either physical or computer-based attack or other similar conduct (including the misuse of or unauthorized access to all types of communications and data transmission systems) that violates Federal, State, or local law, harms interstate commerce of the United States, or threatens public health or safety;

  2. The ability of any critical infrastructure or protected system to resist such interference, compromise, or incapacitation, including any planned or past assessment, projection, or estimate of the vulnerability of critical infrastructure or a protected system, including security testing, risk evaluation thereto, risk management planning, or risk audit; or

  3. Any planned or past operational problem or solution regarding critical infrastructure or protected systems, including repair, recovery, reconstruction, insurance, or continuity, to the extent it is related to such interference, compromise, or incapacitation.

   Data-Centric Approach To Defining The Accreditation Boundary For Compliance