General Critical Infrastructure Information

Designation evidence

• NARA authority row: National Security Memorandum on Critical Infrastructure Security and Resilience | status: Basic | banner: CUI.
• Related authority evidence: National Security Memorandum on Critical Infrastructure Security and Resilience | status: Basic | banner: CUI

Extracted authority meaning

None listed

Operating conditions

• NARA category scope used with this authority: Systems and assets, whether physical or virtual, so vital that the incapacity or destruction of such may have a debilitating impact on the security, economy, public health or safety, environment, or any combination of these matters, across any Federal, State, regional, territorial, or local jurisdiction.
• National Security Memorandum on Critical Infrastructure Security and Resilience | status: Basic | banner: CUI
• NARA registry status: Basic. Per-authority NARA status values: Basic. NARA banner marking evidence: CUI. The registry evidence is preserved here; detailed primary-law or regulation text analysis remains pending for this category.
• NARA category scope: Systems and assets, whether physical or virtual, so vital that the incapacity or destruction of such may have a debilitating impact on the security, economy, public health or safety, environment, or any combination of these matters, across any Federal, State, regional, territorial, or local jurisdiction.

Safeguarding and dissemination controls

• NARA registry control evidence: status Basic; banner marking CUI.
• Nara basic or specified: Basic
• Nara authority rows: National Security Memorandum on Critical Infrastructure Security and Resilience | status: Basic | banner: CUI
• Nara banner markings: CUI
• Dod applicable policies: DoDD 3020.40, DoDI 3020.45
• No DoD required dissemination control is listed on the registry page. Apply approved limited dissemination controls only when required or permitted by the designating agency or governing authority.
• Use the registry assertions, NARA authority rows, DoD authorities, DoD policies, warning statements, required dissemination controls, and examples first. Where the cited authority does not specify a handling detail, apply CUI Basic safeguards and dissemination rules so long as they do not conflict with the authority or agency-specific controls.

Designation evidence

• DoD authority row: Presidential Policy Directive 21. DoD lists this citation for the category; this DoD detail page does not display a separate Basic/Specified field.
• Related authority evidence: DoD lists this authority for the category; the linked authority text is extracted below when available.
• Registry designation context: Basic, CUI. The linked authority text contains category-scope or applicability language that helps determine when the information falls within this CUI category. The linked authority text contains disclosure, access, protection, release, dissemination, or distribution-control language relevant to handling. The linked authority text contains violation, penalty, sanction, or enforcement language that may affect consequences for mishandling.
• Registry designation for this category is Basic with banner CUI.

Extracted authority meaning

• Directive on Critical Infrastructure Security and Resilience
• Registry designation context: Basic, CUI. The linked authority text contains category-scope or applicability language that helps determine when the information falls within this CUI category. The linked authority text contains disclosure, access, protection, release, dissemination, or distribution-control language relevant to handling. The linked authority text contains violation, penalty, sanction, or enforcement language that may affect consequences for mishandling.

Operating conditions

• DoD category scope used with this authority: Systems and assets, whether physical or virtual, so vital that the incapacity or destruction of such may have a debilitating impact on the security, economy, public health or safety, environment, or any combination of these matters, across any Federal, State, regional, territorial, or local jurisdiction.
• DoD lists this authority for the category; the linked authority text is extracted below when available.
• NARA registry status: Basic. Per-authority NARA status values: Basic. NARA banner marking evidence: CUI. The registry evidence is preserved here; detailed primary-law or regulation text analysis remains pending for this category.
• NARA category scope: Systems and assets, whether physical or virtual, so vital that the incapacity or destruction of such may have a debilitating impact on the security, economy, public health or safety, environment, or any combination of these matters, across any Federal, State, regional, territorial, or local jurisdiction.
• Extracted authority condition: infrastructure owners and operators, where appropriate with independent regulatory agencies, and with SLTT entities, as appropriate, to implement this directive; 2) Serve as a day-to-day Federal interface for the dynamic prioritization and coordination of sector-specific activities; 3) Carry out incident management responsibilities consistent with statutory authority and other appropriate policies, directives, or regulations; 4) Provide, support, or facilitate technical assistance and consultations for that sector to identify vulnerabilities and help mitigate incidents, as appropriate; and 5) Support the Secretary of Homeland Security's statutorily required reporting requirements by providing on an annual basis sector-specific critical infrastructure information.
• Extracted authority condition: Within 240 days of the date of this directive, the Secretary of Homeland Security shall demonstrate a near real-time situational awareness capability for critical infrastructure that includes threat streams and all-hazards information as well as vulnerabilities; provides the status of critical infrastructure and potential cascading effects; supports decision making; and disseminates critical information that may be needed to save or sustain lives, mitigate damage, or reduce further degradation of a critical infrastructure capability throughout an incident.
• Extracted authority condition: Additional roles and responsibilities for the Secretary of Homeland Security include: 1) Identify and prioritize critical infrastructure, considering physical and cyber threats, vulnerabilities, and consequences, in coordination with SSAs and other Federal departments and agencies; 2) Maintain national critical infrastructure centers that shall provide a situational awareness capability that includes integrated, actionable information about emerging trends, imminent threats, and the status of incidents that may impact critical infrastructure; 3) In coordination with SSAs and other Federal departments and agencies, provide analysis, expertise, and other technical assistance to critical infrastructure owners and operators and facilitate access to and exchange of information and intelligence necessary to strengthen the security and resilience of critical infrastructure; 4) Conduct comprehensive assessments of the vulnerabilities of the Nation's critical infrastructure in coordination with the SSAs and in collaboration with SLTT entities and critical infrastructure owners and operators; 5) Coordinate Federal Government responses to significant cyber or physical incidents affecting critical infrastructure consistent with statutory authorities;...
• Extracted authority condition: This function shall also use information and intelligence provided by other critical infrastructure partners, including SLTT and nongovernmental analytic entities.
• Extracted authority condition: Finally, this integration and analysis function shall support DHS's ability to maintain and share, as a common Federal service, a near real-time situational awareness capability for critical infrastructure that includes actionable information about imminent threats, significant trends, and awareness of incidents that may affect critical infrastructure.

Safeguarding and dissemination controls

• DoD applicable policies: DoDD 3020.40, DoDI 3020.45
• Nara basic or specified: Basic
• Nara authority rows: National Security Memorandum on Critical Infrastructure Security and Resilience | status: Basic | banner: CUI
• Nara banner markings: CUI
• Dod applicable policies: DoDD 3020.40, DoDI 3020.45
• No DoD required dissemination control is listed on the registry page. Apply approved limited dissemination controls only when required or permitted by the designating agency or governing authority.
• Use the registry assertions, NARA authority rows, DoD authorities, DoD policies, warning statements, required dissemination controls, and examples first. Where the cited authority does not specify a handling detail, apply CUI Basic safeguards and dissemination rules so long as they do not conflict with the authority or agency-specific controls.
• Extracted authority control: Interoperability with critical infrastructure partners; identification of key data and the information requirements of key Federal, SLTT, and private sector entities; availability, accessibility, and formats of data; the ability to exchange various classifications of information; and the security of those systems to be used; and appropriate protections for individual privacy and civil liberties should be included in the analysis.
• Extracted authority control: This directive revokes Homeland Security Presidential Directive/HSPD–7, Critical Infrastructure Identification, Prioritization, and Protection, issued December 17, 2003.
• Extracted authority control: Within 240 days of the date of this directive, the Secretary of Homeland Security shall demonstrate a near real-time situational awareness capability for critical infrastructure that includes threat streams and all-hazards information as well as vulnerabilities; provides the status of critical infrastructure and potential cascading effects; supports decision making; and disseminates critical information that may be needed to save or sustain lives, mitigate damage, or reduce further degradation of a critical infrastructure capability throughout an incident.
• Extracted authority control: Additional roles and responsibilities for the Secretary of Homeland Security include: 1) Identify and prioritize critical infrastructure, considering physical and cyber threats, vulnerabilities, and consequences, in coordination with SSAs and other Federal departments and agencies; 2) Maintain national critical infrastructure centers that shall provide a situational awareness capability that includes integrated, actionable information about emerging trends, imminent threats, and the status of incidents that may impact critical infrastructure; 3) In coordination with SSAs and other Federal departments and agencies, provide analysis, expertise, and other technical assistance to critical infrastructure owners and operators and facilitate access to and exchange of information and intelligence necessary to strengthen the security and resilience of critical infrastructure; 4) Conduct comprehensive assessments of the vulnerabilities of the Nation's critical infrastructure in coordination with the SSAs and in collaboration with SLTT entities and critical infrastructure owners and operators; 5) Coordinate Federal Government responses to significant cyber or physical incidents affecting critical infrastructure consistent with statutory authorities;...
• Extracted authority control: The NRC is to collaborate, to the extent possible, with DHS, DOJ, the Department of Energy, the Environmental Protection Agency, and other Federal departments and agencies, as appropriate, on strengthening critical infrastructure security and resilience.
• Extracted authority control: Three strategic imperatives shall drive the Federal approach to strengthen critical infrastructure security and resilience: 1) Refine and clarify functional relationships across the Federal Government to advance the national unity of effort to strengthen critical infrastructure security and resilience; 2) Enable effective information exchange by identifying baseline data and systems requirements for the Federal Government; and 3) Implement an integration and analysis function to inform planning and operations decisions regarding critical infrastructure.
• Extracted authority control: As a result, Federal functions related to critical infrastructure security and resilience shall be clarified and refined to establish baseline capabilities that will reflect this evolution of knowledge, to define relevant Federal program functions, and to facilitate collaboration and information exchange between and among the Federal Government, critical infrastructure owners and operators, and SLTT entities.

Designation evidence

• Related authority evidence: DoD lists this applicable policy for the category; the linked policy text is extracted below when available.
• Registry designation context: Basic, CUI. The linked authority text contains category-scope or applicability language that helps determine when the information falls within this CUI category. The linked authority text contains disclosure, access, protection, release, dissemination, or distribution-control language relevant to handling. The linked authority text contains violation, penalty, sanction, or enforcement language that may affect consequences for mishandling.
• Registry designation for this category is Basic with banner CUI.

Extracted authority meaning

• Title: DoDD 3020.40, November 29, 2016, Incorporating Change 1 on September 11, 2018
• Registry designation context: Basic, CUI. The linked authority text contains category-scope or applicability language that helps determine when the information falls within this CUI category. The linked authority text contains disclosure, access, protection, release, dissemination, or distribution-control language relevant to handling. The linked authority text contains violation, penalty, sanction, or enforcement language that may affect consequences for mishandling.

Operating conditions

• DoD lists this applicable policy for the category; the linked policy text is extracted below when available.
• Extracted authority condition: (4) Provide timely information to the Secretary of Homeland Security and the national critical infrastructure centers necessary to support cross-sector analysis and inform the situational awareness capability for critical infrastructure.
• Extracted authority condition: (5) Providing to the Secretary of Homeland Security, on an annual basis, sector-specific critical infrastructure information.
• Extracted authority condition: A process to protect or ensure the continued function and resilience of capabilities and assets, including personnel, equipment, facilities, networks, information and information systems, infrastructure, and supply chains, critical to the execution of DoD mission-essential functions in any operating environment or condition.

Safeguarding and dissemination controls

• Extracted authority control: Composed of personnel, physical, industrial, information, and operational security programs; special access programs security policy; critical program information protection policy; and security training.
• Extracted authority control: DoD Components will maintain sufficient resources to meet DCI responsibilities for identifying, assessing, managing, and monitoring risk to critical infrastructure and align associated security, protection, and risk management efforts under an MA construct.
• Extracted authority control: Department of Homeland Security, “National Infrastructure Protection Plan 2013: Partnering for Critical Infrastructure Security and Resiliency,” 2013
• Extracted authority control: A process to protect or ensure the continued function and resilience of capabilities and assets, including personnel, equipment, facilities, networks, information and information systems, infrastructure, and supply chains, critical to the execution of DoD mission-essential functions in any operating environment or condition.
• Extracted authority control: These existing security, protection, and risk-management programs and activities will continue to meet DoDD 3020.40, November 29, 2016 Change 1, September 11, 2018
• Extracted authority control: Unit commanders or civilian managers and directors responsible for DoD elements occupying leased facility space, or space in buildings owned or operated by the U.S.
• Extracted authority control: The framework of interdependent physical and cyber-based systems comprising identifiable industries, institutions (including people and procedures), and distribution capabilities that provide a reliable flow of products and services essential to the defense and economic security of the United States, to the smooth functioning of government at all levels, and to society as a whole.

Designation evidence

• Related authority evidence: DoD lists this applicable policy for the category; the linked policy text is extracted below when available.
• Registry designation context: Basic, CUI. The linked authority text contains category-scope or applicability language that helps determine when the information falls within this CUI category. The linked authority text contains disclosure, access, protection, release, dissemination, or distribution-control language relevant to handling. The linked authority text contains violation, penalty, sanction, or enforcement language that may affect consequences for mishandling.
• Registry designation for this category is Basic with banner CUI.

Extracted authority meaning

• Title: DoDI 3020.45, "Mission Assurance Construct," August 14, 2018, Incorporating Change 1 on May 2, 2022
• Registry designation context: Basic, CUI. The linked authority text contains category-scope or applicability language that helps determine when the information falls within this CUI category. The linked authority text contains disclosure, access, protection, release, dissemination, or distribution-control language relevant to handling. The linked authority text contains violation, penalty, sanction, or enforcement language that may affect consequences for mishandling.

Operating conditions

• DoD lists this applicable policy for the category; the linked policy text is extracted below when available.
• Extracted authority condition: Information includes but is not limited to asset lists or subsets; asset BEIs; criticality data; threat and hazard information at the global, region, area, or installation and local level; assessment reports; RMPs; operational status reports; program resource information and reports; readiness reporting; program process plans; and MACB and MACB working group information.
• Extracted authority condition: It includes both asset mitigation planning to return critical assets to operational status, such as prepositioned rapid runway repair material, and contingency planning by mission owners devising alternative DoDI 3020.45, August 14, 2018 Change 1, May 2, 2022
• Extracted authority condition: (2) The ASD(HD&HA) will leverage the assessments by the Department of Homeland Security Protective Security Advisors, or other similar assessments, for commercial TCAs, as applicable, and post assessment results to the MA system of record while abiding by all appropriate classification, proprietary, contractual, and protected critical infrastructure information requirements.
• Extracted authority condition: (3) CCMDs with geographic areas of responsibility will work with the Department of State and host nations, as appropriate and to the greatest extent possible, to assess foreign-owned TCAs and post assessment results to the MA system of record while abiding by all appropriate classification, proprietary, contractual, and protected critical infrastructure information requirements.

Safeguarding and dissemination controls

• Extracted authority control: (3) DoD personnel will be familiar with non-DoD agency classifications such as sensitive secure information, protected critical infrastructure information, and LE sensitive information before release to ensure proper handling of MA information.
• Extracted authority control: (k) Fire protection and prevention, in accordance with DoDI 6055.06, enhance DoD mission capabilities by protecting the U.S. homeland and critical bases of operation through preventive risk management, education, emergency response, and risk communication as they relates to fire.
• Extracted authority control: (2) The ASD(HD&HA) will leverage the assessments by the Department of Homeland Security Protective Security Advisors, or other similar assessments, for commercial TCAs, as applicable, and post assessment results to the MA system of record while abiding by all appropriate classification, proprietary, contractual, and protected critical infrastructure information requirements.
• Extracted authority control: (3) CCMDs with geographic areas of responsibility will work with the Department of State and host nations, as appropriate and to the greatest extent possible, to assess foreign-owned TCAs and post assessment results to the MA system of record while abiding by all appropriate classification, proprietary, contractual, and protected critical infrastructure information requirements.
• Extracted authority control: (a) Decomposing assigned strategic missions based upon specified or implied tasks, or based upon the universal joint task list (UJTL), to define and provide mission-essential capabilities, standards, and conditions to appropriate DoD Components for task critical asset (TCA) identification.
• Extracted authority control: (n) LE, or suspicious activity reporting, in accordance with DoDI 2000.26, identifies persons involved in terrorism, criminal-related activities, and threats directed against DoD.