Information Systems Vulnerability Information

Designation evidence

• NARA authority row: 44 USC 3554 (see OMB M-24-04 for implementing guidance) | status: Basic | banner: CUI.
• Related authority evidence: 44 USC 3554 (see OMB M-24-04 for implementing guidance) | status: Basic | banner: CUI

Extracted authority meaning

None listed

Operating conditions

• NARA category scope used with this authority: Related to information that if not protected, could result in adverse effects to information systems. Information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
• 44 USC 3554 (see OMB M-24-04 for implementing guidance) | status: Basic | banner: CUI
• NARA registry status: Basic. Per-authority NARA status values: Basic. NARA banner marking evidence: CUI. The registry evidence is preserved here; detailed primary-law or regulation text analysis remains pending for this category.
• NARA category scope: Related to information that if not protected, could result in adverse effects to information systems. Information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

Safeguarding and dissemination controls

• NARA registry control evidence: status Basic; banner marking CUI.
• Nara basic or specified: Basic
• Nara authority rows: 44 USC 3554 (see OMB M-24-04 for implementing guidance) | status: Basic | banner: CUI || 44 USC 3555(f) | status: Basic | banner: CUI
• Nara banner markings: CUI
• Dod applicable policies: DoDI 8500.01, DoDI 8510.01, DoDI 8531.01
• No DoD required dissemination control is listed on the registry page. Apply approved limited dissemination controls only when required or permitted by the designating agency or governing authority.
• Use the registry assertions, NARA authority rows, DoD authorities, DoD policies, warning statements, required dissemination controls, and examples first. Where the cited authority does not specify a handling detail, apply CUI Basic safeguards and dissemination rules so long as they do not conflict with the authority or agency-specific controls.

Designation evidence

• NARA authority row: 44 USC 3555(f) | status: Basic | banner: CUI.
• Related authority evidence: 44 USC 3555(f) | status: Basic | banner: CUI

Extracted authority meaning

None listed

Operating conditions

• NARA category scope used with this authority: Related to information that if not protected, could result in adverse effects to information systems. Information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
• 44 USC 3555(f) | status: Basic | banner: CUI
• NARA registry status: Basic. Per-authority NARA status values: Basic. NARA banner marking evidence: CUI. The registry evidence is preserved here; detailed primary-law or regulation text analysis remains pending for this category.
• NARA category scope: Related to information that if not protected, could result in adverse effects to information systems. Information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

Safeguarding and dissemination controls

• NARA registry control evidence: status Basic; banner marking CUI.
• Nara basic or specified: Basic
• Nara authority rows: 44 USC 3554 (see OMB M-24-04 for implementing guidance) | status: Basic | banner: CUI || 44 USC 3555(f) | status: Basic | banner: CUI
• Nara banner markings: CUI
• Dod applicable policies: DoDI 8500.01, DoDI 8510.01, DoDI 8531.01
• No DoD required dissemination control is listed on the registry page. Apply approved limited dissemination controls only when required or permitted by the designating agency or governing authority.
• Use the registry assertions, NARA authority rows, DoD authorities, DoD policies, warning statements, required dissemination controls, and examples first. Where the cited authority does not specify a handling detail, apply CUI Basic safeguards and dissemination rules so long as they do not conflict with the authority or agency-specific controls.

Designation evidence

• DoD authority row: 44 USC 3554 - 3555. DoD lists this citation for the category; this DoD detail page does not display a separate Basic/Specified field.
• Related authority evidence: DoD lists this authority for the category; the linked authority text is extracted below when available.
• Registry designation context: Basic, CUI. The linked authority text contains category-scope or applicability language that helps determine when the information falls within this CUI category. The linked authority text contains disclosure, access, protection, release, dissemination, or distribution-control language relevant to handling. The linked authority text contains violation, penalty, sanction, or enforcement language that may affect consequences for mishandling.
• Registry designation for this category is Basic with banner CUI.

Extracted authority meaning

• Page 152 TITLE 44—PUBLIC PRINTING AND DOCUMENTS § 3551
• Registry designation context: Basic, CUI. The linked authority text contains category-scope or applicability language that helps determine when the information falls within this CUI category. The linked authority text contains disclosure, access, protection, release, dissemination, or distribution-control language relevant to handling. The linked authority text contains violation, penalty, sanction, or enforcement language that may affect consequences for mishandling.

Operating conditions

• DoD category scope used with this authority: Related to information that if not protected, could result in adverse effects to information systems. Information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
• DoD lists this authority for the category; the linked authority text is extracted below when available.
• NARA registry status: Basic. Per-authority NARA status values: Basic. NARA banner marking evidence: CUI. The registry evidence is preserved here; detailed primary-law or regulation text analysis remains pending for this category.
• NARA category scope: Related to information that if not protected, could result in adverse effects to information systems. Information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
• Extracted authority condition: L. 114–4, see Tables for classification] for ‘National Pro- tection and Programs Directorate, Infrastructure Pro- tection and Information Security’, $140,525,000 for the Federal Network Security program, project, and activ- ity shall be used to deploy on Federal systems tech- nology to improve the information security of agency information systems covered by [former] section 3543(a) of title 44, United States Code [see now 44 U.S.C. 3553]: Provided, That funds made available under this section shall be used to assist and support Government-wide and agency-specific efforts to provide adequate, risk- based, and cost-effective cybersecurity to address esca- lating and rapidly evolving threats to information se- curity, including the acquisition and operation of a continuous monitoring and diagnostics program, in col- laboration with departments and agencies, that in- cludes equipment, software, and Department of Home- land Security supplied services: Provided further, That continuous monitoring and diagnostics software pro- cured by the funds made available by this section shall not transmit to the Department of Homeland Security any personally identifiable information or content of network communications of other agencies’ users: Pro- vided further, That such software shall be installed, maintained,...
• Extracted authority condition: (b) A DDITIONALDEFINITIONS.—As used in this subchapter: (1) The term ‘‘binding operational directive’’ means a compulsory direction to an agency that— (A) is for purposes of safeguarding Federal information and information systems from a known or reasonably suspected information security threat, vulnerability, or risk; (B) shall be in accordance with policies, principles, standards, and guidelines issued by the Director; and (C) may be revised or repealed by the Di- rector if the direction issued on behalf of the Director is not in accordance with policies and principles developed by the Director.
• Extracted authority condition: (b) S ECRETARY.—The Secretary, in consulta- tion with the Director, shall administer the im- plementation of agency information security policies and practices for information systems, except for national security systems and infor- mation systems described in paragraph (2) or (3) of subsection (e), including— (1) assisting the Director in carrying out the authorities and functions under paragraphs (1), (2), (3), (5), and (6) of subsection (a); (2) developing and overseeing the implemen- tation of binding operational directives to agencies to implement the policies, principles, standards, and guidelines developed by the Di- rector under subsection (a)(1) and the require- ments of this subchapter, which may be re- vised or repealed by the Director if the oper- ational directives issued on behalf of the Di- rector are not in accordance with policies, principles, standards, and guidelines developed by the Director, including— (A) requirements for reporting security in- cidents to the Federal information security incident center established under section 3556; (B) requirements for the contents of the annual reports required to be submitted under section 3554(c)(1); (C) requirements for the mitigation of exi- gent risks to information systems; and (D) other operational requirements as the Director or Secretary, in consultation with the Director,...
• Extracted authority condition: (c) R EPORT.—Not later than March 1 of each year, the Director, in consultation with the Sec- retary, shall submit to Congress a report on the effectiveness of information security policies and practices during the preceding year, includ- ing— (1) a summary of the incidents described in the annual reports required to be submitted under section 3554(c)(1), including a summary of the information required under section 3554(c)(1)(A)(iii); (2) a description of the threshold for report- ing major information security incidents; (3) a summary of the results of evaluations required to be performed under section 3555; (4) an assessment of agency compliance with standards promulgated under section 11331 of title 40; and (5) an assessment of agency compliance with data breach notification policies and proce- dures issued by the Director.
• Extracted authority condition: Definitions In this chapter, the definitions under section 3502 shall apply, and the term— (1) ‘‘Administrator’’ means the Adminis- trator of the Office of Electronic Government established under section 3602; (2) ‘‘Council’’ means the Chief Information Officers Council established under section 3603; (3) ‘‘electronic Government’’ means the use by the Government of web-based Internet ap- plications and other information technologies, combined with processes that implement these technologies, to— (A) enhance the access to and delivery of Government information and services to the public, other agencies, and other Govern- ment entities; or (B) bring about improvements in Govern- ment operations that may include effective- ness, efficiency, service quality, or trans- formation; (4) ‘‘enterprise architecture’’— (A) means— (i) a strategic information asset base, which defines the mission; (ii) the information necessary to perform the mission; (iii) the technologies necessary to per- form the mission; and (iv) the transitional processes for imple- menting new technologies in response to changing mission needs; and (B) includes— (i) a baseline architecture; (ii) a target architecture; and (iii) a sequencing plan; (5) ‘‘Fund’’ means the E-Government Fund established under section 3604;...
• Extracted authority condition: (3) The term ‘‘information security’’ means protecting information and information sys- tems from unauthorized access, use, disclo- sure, disruption, modification, or destruction in order to provide— (A) integrity, which means guarding against improper information modification or destruction, and includes ensuring infor- mation nonrepudiation and authenticity; (B) confidentiality, which means preserv- ing authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary informa- tion; and (C) availability, which means ensuring timely and reliable access to and use of in- formation.

Safeguarding and dissemination controls

• DoD applicable policies: DoDI 8500.01, DoDI 8510.01, DoDI 8531.01
• Nara basic or specified: Basic
• Nara authority rows: 44 USC 3554 (see OMB M-24-04 for implementing guidance) | status: Basic | banner: CUI || 44 USC 3555(f) | status: Basic | banner: CUI
• Nara banner markings: CUI
• Dod applicable policies: DoDI 8500.01, DoDI 8510.01, DoDI 8531.01
• No DoD required dissemination control is listed on the registry page. Apply approved limited dissemination controls only when required or permitted by the designating agency or governing authority.
• Use the registry assertions, NARA authority rows, DoD authorities, DoD policies, warning statements, required dissemination controls, and examples first. Where the cited authority does not specify a handling detail, apply CUI Basic safeguards and dissemination rules so long as they do not conflict with the authority or agency-specific controls.
• Extracted authority control: (3) The term ‘‘information security’’ means protecting information and information sys- tems from unauthorized access, use, disclo- sure, disruption, modification, or destruction in order to provide— (A) integrity, which means guarding against improper information modification or destruction, and includes ensuring infor- mation nonrepudiation and authenticity; (B) confidentiality, which means preserv- ing authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary informa- tion; and (C) availability, which means ensuring timely and reliable access to and use of in- formation.
• Extracted authority control: Authority and functions of the Director and the Secretary (a) D IRECTOR.—The Director shall oversee agency information security policies and prac- tices, including— (1) developing and overseeing the implemen- tation of policies, principles, standards, and guidelines on information security, including through ensuring timely agency adoption of and compliance with standards promulgated under section 11331 of title 40; (2) requiring agencies, consistent with the standards promulgated under such section 11331 and the requirements of this subchapter, to identify and provide information security protections commensurate with the risk and magnitude of the harm resulting from the un- authorized access, use, disclosure, disruption, modification, or destruction of— (A) information collected or maintained by or on behalf of an agency; or (B) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency; (3) ensuring that the Secretary carries out the authorities and functions under subsection (b); (4) coordinating the development of stand- ards and guidelines under section 20 of the Na- tional Institute of Standards and Technology Act (15 U.S.C. 278g–3) with agencies and offices operating or exercising control of national se- curity systems (including the National Secu- rity Agency) to assure,...
• Extracted authority control: L. 113–283, § 2(d), Dec. 18, 2014, 128 Stat. 3085, pro- vided that: ‘‘(1) R EQUIREMENTS.—The Director of the Office of Management and Budget shall ensure that data breach notification policies and guidelines are updated periodi- cally and require— ‘‘(A) except as provided in paragraph (4), notice by the affected agency to each committee of Congress described in section 3554(c)(1) of title 44, United States Code, as added by subsection (a), the Commit- tee on the Judiciary of the Senate, and the Commit- tee on the Judiciary of the House of Representatives, which shall— ‘‘(i) be provided expeditiously and not later than 30 days after the date on which the agency discov- ered the unauthorized acquisition or access; and ‘‘(ii) include— ‘‘(I) information about the breach, including a summary of any information that the agency knows on the date on which notification is pro- vided about how the breach occurred; ‘‘(II) an estimate of the number of individuals affected by the breach, based on information that the agency knows on the date on which notifica- tion is provided, including an assessment of the risk of harm to affected individuals; ‘‘(III) a description of any circumstances neces- sitating a delay in providing notice to affected in- dividuals; and ‘‘(IV) an estimate of whether and when the agency will provide notice to affected individuals;...
• Extracted authority control: National security systems The head of each agency operating or exercis- ing control of a national security system shall be responsible for ensuring that the agency— (1) provides information security protections commensurate with the risk and magnitude of the harm resulting from the unauthorized ac- cess, use, disclosure, disruption, modification, or destruction of the information contained in such system; (2) implements information security policies and practices as required by standards and guidelines for national security systems, is- sued in accordance with law and as directed by the President; and (3) complies with the requirements of this subchapter.
• Extracted authority control: (b) A DDITIONALDEFINITIONS.—As used in this subchapter: (1) The term ‘‘binding operational directive’’ means a compulsory direction to an agency that— (A) is for purposes of safeguarding Federal information and information systems from a known or reasonably suspected information security threat, vulnerability, or risk; (B) shall be in accordance with policies, principles, standards, and guidelines issued by the Director; and (C) may be revised or repealed by the Di- rector if the direction issued on behalf of the Director is not in accordance with policies and principles developed by the Director.
• Extracted authority control: Purposes The purposes of this subchapter are to— (1) provide a comprehensive framework for ensuring the effectiveness of information secu- rity controls over information resources that support Federal operations and assets; (2) recognize the highly networked nature of the current Federal computing environment and provide effective governmentwide man- agement and oversight of the related informa- tion security risks, including coordination of information security efforts throughout the civilian, national security, and law enforce- ment communities; (3) provide for development and maintenance of minimum controls required to protect Fed- eral information and information systems; (4) provide a mechanism for improved over- sight of Federal agency information security programs, including through automated secu- rity tools to continuously diagnose and im- prove security; (5) acknowledge that commercially devel- oped information security products offer ad- vanced, dynamic, robust, and effective infor- mation security solutions, reflecting market solutions for the protection of critical infor- mation infrastructures important to the na- tional defense and economic security of the nation that are designed, built, and operated by the private sector;...
• Extracted authority control: (2) P ROCEDURES FOR USE OF AUTHORITY.—The Secretary shall— (A) in coordination with the Director, and in consultation with Federal contractors as appropriate, establish procedures governing the circumstances under which a directive may be issued under this subsection, which shall include— (i) thresholds and other criteria; (ii) privacy and civil liberties protec- tions; and (iii) providing notice to potentially af- fected third parties; (B) specify the reasons for the required ac- tion and the duration of the directive; (C) minimize the impact of a directive under this subsection by— (i) adopting the least intrusive means possible under the circumstances to secure the agency information systems; and (ii) limiting directives to the shortest period practicable; (D) notify the Director and the head of any affected agency immediately upon the issu- ance of a directive under this subsection; (E) consult with the Director of the Na- tional Institute of Standards and Tech- nology regarding any directive under this subsection that implements standards and guidelines developed by the National Insti- tute of Standards and Technology; (F) ensure that directives issued under this subsection do not conflict with the stand- ards and guidelines issued under section 11331 of title 40;...

Designation evidence

• Related authority evidence: DoD lists this applicable policy for the category; the linked policy text is extracted below when available.
• Registry designation context: Basic, CUI. The linked authority text contains category-scope or applicability language that helps determine when the information falls within this CUI category. The linked authority text contains disclosure, access, protection, release, dissemination, or distribution-control language relevant to handling. The linked authority text contains violation, penalty, sanction, or enforcement language that may affect consequences for mishandling.
• Registry designation for this category is Basic with banner CUI.

Extracted authority meaning

• Title: DoDI 8500.01, March 14, 2014, Incorporating Change 1 on October 7, 2019
• Registry designation context: Basic, CUI. The linked authority text contains category-scope or applicability language that helps determine when the information falls within this CUI category. The linked authority text contains disclosure, access, protection, release, dissemination, or distribution-control language relevant to handling. The linked authority text contains violation, penalty, sanction, or enforcement language that may affect consequences for mishandling.

Operating conditions

• DoD lists this applicable policy for the category; the linked policy text is extracted below when available.
• Extracted authority condition: Requests for proposals will include sufficient information on which to evaluate each offeror’s proposed approach to satisfying the security control requirements.
• Extracted authority condition: (b) Examples of platforms that may include PIT are: weapons systems, training simulators, diagnostic test and maintenance equipment, calibration equipment, equipment used in the research and development of weapons systems, medical devices and health information technologies, vehicles and alternative fueled vehicles (e.g., electric, bio-fuel, Liquid Natural Gas that contain car-computers), buildings and their associated control systems (building automation systems or building management systems, energy management system, fire and life safety, physical security, elevators, etc.), utility distribution systems (such as electric, water, waste water, natural gas and steam), telecommunications systems designed specifically for industrial DoDI 8500.01, March 14, 2014
• Extracted authority condition: DoD Components must share security authorization packages with affected information owners or DoDI 8500.01, March 14, 2014
• Extracted authority condition: DoD’s information sharing policies and procedures are defined in DoDD 8320.02 (Reference (cr)) and DoDI 8320.07 (Reference (cs)).

Safeguarding and dissemination controls

• Extracted authority control: All DoD information in electronic format will be given an appropriate level of confidentiality, integrity, and availability that reflects the importance of both information sharing and protection.
• Extracted authority control: Information systems must protect classified information and CUI from unauthorized access by requiring authentication in accordance with Reference (ck) prior to making an access decision. e.
• Extracted authority control: (2) DoD-originated and DoD-provided information residing on mission partner ISs must be properly and adequately safeguarded, with documented agreements indicating required levels of protection.
• Extracted authority control: Information and infrastructure that support identity reliant functions, processes, and procedures used in support of DoD operations, including but not limited to identity credentialing, will incorporate measures to ensure the confidentiality, integrity, authenticity, and availability of identity data or identity credentials.
• Extracted authority control: judicial sanctions if they knowingly, willfully, or negligently compromise, damage, or place at risk DoD information by not ensuring implementation of DoD security requirements in DoDI 8500.01, March 14, 2014
• Extracted authority control: Defines, develops, and integrates systems security engineering (SSE) into the systems engineering workforce and curriculum in accordance with DoDI 5134.16 (Reference (ax)).

Designation evidence

• Related authority evidence: DoD lists this applicable policy for the category; the linked policy text is extracted below when available.
• Registry designation context: Basic, CUI. The linked authority text contains category-scope or applicability language that helps determine when the information falls within this CUI category. The linked authority text contains disclosure, access, protection, release, dissemination, or distribution-control language relevant to handling. The linked authority text contains violation, penalty, sanction, or enforcement language that may affect consequences for mishandling.
• Registry designation for this category is Basic with banner CUI.

Extracted authority meaning

• Title: DoDI 8510.01, "Risk Management Framework for DoD Systems," July 19, 2022
• Registry designation context: Basic, CUI. The linked authority text contains category-scope or applicability language that helps determine when the information falls within this CUI category. The linked authority text contains disclosure, access, protection, release, dissemination, or distribution-control language relevant to handling. The linked authority text contains violation, penalty, sanction, or enforcement language that may affect consequences for mishandling.

Operating conditions

• DoD lists this applicable policy for the category; the linked policy text is extracted below when available.
• Extracted authority condition: (6) Review the security authorization documentation package in light of mission and information environment indicators and determine a course of action provided to the responsible CIO or CISO for reporting requirements described in FISMA.
• Extracted authority condition: potential circumstance or event in the interdependent network of information technology infrastructures, and includes telecommunications networks, computer systems, and embedded processors and controllers.
• Extracted authority condition: Categorize the system in accordance with CNSSI No. 1253 based on the information analyzed, stored, and relayed by the system and an analysis of the impact of potential loss of confidentiality, integrity, and availability to organizational operations and assets, individuals, other organizations, and the Nation with respect to the loss of confidentiality, integrity, and availability of organizational systems.

Safeguarding and dissemination controls

• Extracted authority control: Categorize the system in accordance with CNSSI No. 1253 based on the information analyzed, stored, and relayed by the system and an analysis of the impact of potential loss of confidentiality, integrity, and availability to organizational operations and assets, individuals, other organizations, and the Nation with respect to the loss of confidentiality, integrity, and availability of organizational systems.
• Extracted authority control: DoD RMF practitioners need access to RMF direction, standards, and tools to effectively and efficiently apply the appropriate methods, standards, and practices required to protect DoD information technology.
• Extracted authority control: (b) Performs the Risk Executive Function as described in DoDI 8500.01 and NIST SP 800-39, and makes enterprise level risk acceptance determinations for authorized enterprise systems, satisfying the requirements of cybersecurity reciprocity.
• Extracted authority control: Verifies DoD Component acquisition program executive offices and PMs are accountable for coordinating tradeoff decisions during sustainment of systems (i.e., decisions to withhold or delay vulnerability remediation, which significantly impact survivability of systems under conditions of the intended operational environment) with the requirements sponsors, AO, and Component cyberspace operations forces.
• Extracted authority control: Assesses the overall security posture of National Security Systems, identifies their vulnerabilities, and disseminates information regarding threats to DoD.
• Extracted authority control: (1) The Adaptive Acquisition Framework is defined and illustrated in DoDI 5000.02.

Designation evidence

• Related authority evidence: DoD lists this applicable policy for the category; the linked policy text is extracted below when available.
• Registry designation context: Basic, CUI. The linked authority text contains category-scope or applicability language that helps determine when the information falls within this CUI category. The linked authority text contains disclosure, access, protection, release, dissemination, or distribution-control language relevant to handling.
• Registry designation for this category is Basic with banner CUI.

Extracted authority meaning

• Title: DoDI 8531.01, "DoD Vulnerability Management," September 15, 2020
• Registry designation context: Basic, CUI. The linked authority text contains category-scope or applicability language that helps determine when the information falls within this CUI category. The linked authority text contains disclosure, access, protection, release, dissemination, or distribution-control language relevant to handling.

Operating conditions

• DoD lists this applicable policy for the category; the linked policy text is extracted below when available.
• Extracted authority condition: (2) Information submitted to DoD through the VDP must be used for defensive purposes to mitigate or remediate vulnerabilities in DODIN systems, subsystems, or system components.
• Extracted authority condition: • Establishes policy, assigns responsibilities, and provides procedures for DoD vulnerability management and response to vulnerabilities identified in all software, firmware, and hardware within the DoD information network (DODIN).
• Extracted authority condition: Coordinates any DoD vulnerability management, asset management, configuration management, and remediation or mitigation management issues or concerns with Commander, United States Cyber Command (USCYBERCOM), and Joint Force Headquarters-DoD Information Network (JFHQ-DODIN).
• Extracted authority condition: Conduct monthly non-authenticated and authenticated vulnerability scans to obtain accurate system information for continuous monitoring of previously affected systems.

Safeguarding and dissemination controls

• Extracted authority control: (6) Details of how the loss of confidentiality, integrity, or availability could affect DoD operations, organizational assets, or individuals (e.g., limited, serious, catastrophic, or cataclysmic effects).
• Extracted authority control: Coordinates with DoD SISO on security policy and related intelligence and security matters for safeguarding information on systems and networks.
• Extracted authority control: The DoD Components will perform impact assessments to determine the likely expected loss of integrity, confidentiality, and availability if the vulnerability is not remediated or mitigated.
• Extracted authority control: Determine, on a case-by-case basis, which remediation or mitigation method is most beneficial and consider the loss of confidentiality, integrity, and availability.
• Extracted authority control: Assesses the overall security posture of all DoD systems and disseminates information on threats and vulnerabilities impacting DoD system components in coordination with USCYBERCOM.