CUI Category: Sensitive Personally Identifiable Information
Banner Marking: CUI
A subset of PII that, if lost, compromised or disclosed without authorization could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. Some forms of PII are sensitive as stand-alone elements.
a. Examples of stand-alone PII include: Social Security Numbers (SSN), driver's license or state identification number; Alien Registration Numbers; financial account number; and biometric identifiers such as fingerprint, voiceprint, or iris scan.
b. Additional examples of SPII include any groupings of information that contain an individual's name or other unique identifier plus one or more of the following elements:
c. Other PII may be "sensitive" depending on its context, such in as a list of employees and their performance rating(s) or an unlisted home address or phone number. In contrast, a business card or public telephone directory of agency employees contains PII, but is not sensitive.
|Banner Format and Marking Notes:||
CUI//Category Marking//Limited Dissemination Control
|Marking, Protection, and Dissemination‚Äč:||
This information must be (1) Marked as CUI using the CUI Control Marking (i.e., CUI) in accordance with marking guidance found on the CUI Registry; (2) Protected in accordance with 32 CFR Part 2002, ‚ÄúControlled Unclassified Information‚ÄĚ; and (3) Disseminated in accordance with any limited dissemination control markings applied to the information. The CUI Registry lists all limited dissemination control markings that can be applied to CUI.
When there is overlap with existing CUI Categories, and if applicable, the requirements from existing categories must be followed.
Notes for Safeguarding, Dissemination and Sanction Authorities:
- Whether CUI is Basic or Specified is determined by the applicable Safeguarding and/or Dissemination Authority for that CUI.
- Each "Safeguarding and/or Dissemination Authority" citation links to the statute, regulation or government-wide policy authorizing the control of that information as CUI.
- Each "Sanctions" authority links to the statute, regulation or government-wide policy that includes penalties for CUI misuse of CUI for the associated "Safeguarding and/or Dissemination Authority" on the same line.
|Safeguarding and/or Dissemination Authority||Basic or
|Provisional Approval 2018-09-07||Basic||CUI|
Authority links are updated based on regular re-publication of the United States Code and Code of Federal Regulations, and the CUI Registry maintenance schedule.