Level 5: Controlled Unclassified Information
Is any of the data/information unclassified information that
under law or policy requires protection from unauthorized
disclosure as established by Executive Order 13556
(November 2010) or other mission critical data AND can it
be considered data/information that when viewed in aggregate some or all of it can be considered “Secret” and therefore create the conditions for holding the data/information at a higher level?
For Reference: NIST describes aggregation, also commonly referred to as compilation in Section 4.4.2.1 of NIST 800-60
The availability, routine operational employment, and sophistication of data aggregation and inference tools are all increasing rapidly. If review reveals increased sensitivity or criticality associated with information aggregates, then the system security objective impact levels may need to be adjusted to a higher level than would be indicated by the security impact levels associated with any individual information type. This could be implemented by incorporating a statement that explains the aggregation and potential security objective affected as well as the modification to impact levels. (Ref: 1)
​
1 NIST 800-60, Volume 1 Rev 1: Guide for Mapping Types of Information and Information Systems to Security Categories: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf