Level 2: Non-Controlled Unclassified Information
Level 2 includes all data cleared for public release, as well as some DoD
private unclassified information not designated as CUI or critical mission data,
but the information requires some minimal level of access control.
Here we are attempting to answer the question, “Is some of the data under consideration cleared for public release?
a) Do you have some data (DoD or Federal) that is private unclassified information not designated as CUI or critical mission data but the data/information still requires some minimal level of access control?
​
This question is meant to inform the acquirer that even though there may be data/information that is considered private unclassified information, if it is not designated as CUI or critical mission data but it still requires a minimal level of access control, it may still reside at Level 2 as long as those controls are in place and the risks have been assessed and are accepted by the acquirer to hold the data/information at this level.
​
Considerations:
Is there an expectation that data/information at this level will be connected to other higher levels of data/information via a hybrid cloud solution? If yes, the acquirer should consider the risks of doing so and/or the risk mitigating prospect of moving the data/information to a higher level (i.e., Level 4 or higher) in order to mitigate risk or adhere to established regulations. (Example: Office 365 & access to Active Directory)
​
When some data may be held at Level 2 in an approved public cloud and other data/information is elevated to a higher level (e.g., Level 4, 5, 6 or higher), this suggests that either a Hybrid Cloud instantiation or a multi-cloud strategy or both may be intended or pursued.
​
Based on what you know, please select the best answer to the question below:
Some data is cleared for public release.
​