Level 4: Controlled Unclassified Information
Is any of the data/information Controlled Unclassified Information that under law or policy
requires protection from unauthorized disclosure as established by Executive Order 13556
(November 2010) or other mission critical data AND can it be considered data/information
that when some or all of it when considered in aggregate creates the conditions for holding
the data/information at a higher level?
​
For Reference: NIST describes aggregation, also commonly referred to as compilation in Section 4.4.2.1 of NIST 800-60
Aggregation
Some information may have little or no sensitivity in isolation but may be highly sensitive in aggregation. In some cases, aggregation of large quantities of a single information type can reveal sensitive patterns and plans, or facilitate access to sensitive or critical systems. In other cases, aggregation of information of several different and seemingly innocuous types can have similar effects. In general, the sensitivity of a given data element is likely to be greater in context than in isolation (e.g., association of an account number with the identity of an individual and/or institution). The availability, routine operational employment, and sophistication of data aggregation and inference tools are all increasing rapidly. If review reveals increased sensitivity or criticality associated with information aggregates, then the system security objective impact levels may need to be adjusted to a higher level than would be indicated by the security impact levels associated with any individual information type. This could be implemented by incorporating a statement that explains the aggregation and potential security objective affected as well as the modification to impact levels. (Ref: 1)
