Here we are attempting to answer the question, “Is all the data/
information under consideration cleared for public release?”
a)Do you have some data (DoD or Federal) that is private
unclassified information not designated as CUI or critical mission
data but the data/information still requires some minimal level of
access control?
This question is meant to inform the acquirer that even though there may be data/information that is considered private unclassified information, if it is not designated as CUI or critical mission data but it still requires a minimal level of access control, it may still reside at Level 2 as long as those controls are in place and the risks have been assessed and are accepted by the acquirer to hold the data/information at this level.
​
Note: Is there an expectation that data/information at this level will be connected to other higher levels of data/information via a hybrid cloud solution? If yes, the acquirer should consider the risks of doing so and/or the risk mitigating prospect of moving the data/ information to a higher level (i.e., Level 4 or higher) in order to mitigate risk or adhere to established regulations. (Example: Office 365 & access to Active Directory)
​
Based on what you know, please select the best answer to the question below: