3-2.3 Definitions of Classified, Sensitive, and Critical Information

3-2.3.1 Classified Information

Classified information is hardcopy or electronic information or material that has been designated as classified pursuant to executive order, statue, or regulation and requires protection against unauthorized disclosure for reasons of national security. National security reasons includes national defense, foreign relations of the United States, intelligence activities, atomic weapons and special nuclear material, crypto logic activities related to national security, command and control of military forces, integral components of weapon systems, or critical to direct fulfillment of military or intelligence missions. Classified designations include Confidential, Secret, and Top Secret. Categories of classified information include restricted data (RD), formerly restricted data (FRD), and national security information (NSI).

Note: Classified information must never be entered into any information resource that is (or may become) a part of or connected to the Postal Service information technology infrastructure. See the Inspection Service for appropriate policy handling for classified information.

3-2.3.2 Sensitive-Enhanced Information

Sensitive-enhanced information is hardcopy or electronic information or material that is not designated as classified but that warrants or requires enhanced protection. Requirements to protect sensitive-enhanced information are derived from law, regulation, the law enforcement and judicial process, the payment card industry (PCI), and the Privacy Act. Types of sensitive-enhanced information include:

  1. Law enforcement information and court-restricted information, including grand jury material, arrest records, and information about ongoing investigations.
  2. PCI primary account number (PAN); i.e., full credit card number (16 characters).
  3. Personally identifiable information (PII), i.e., information used to distinguish or trace an individual’s identity such as name, Social Security number, driver license number, passport number, bank routing with account number, date with place of birth, mother’s maiden name, biometric data, and any other information which is linked or linkable to an individual.
  4. Information about individuals (e.g., employees, contractors, vendors, business partners, and customers) protected by law, including medical information and wire or money transfers.
  5. Information related to the protection of Postal Service restricted financial information, trade secrets, proprietary information, and emergency preparedness.
  6. Communications protected by legal privileges (e.g., attorney-client communications encompassing attorney opinions based on client-supplied information) and documents constituting attorney work products (created in reasonable anticipation of litigation).

3-2.3.3 Sensitive Information

Sensitive information is hardcopy or electronic information or material that is not designated as classified or sensitive-enhanced but that warrants or requires protection. Requirements to protect sensitive information are derived from law, regulation, the Privacy Act, business needs, and the contracting process. Types of sensitive information include:

  1. Private information about individuals (e.g., employees, contractors, vendors, business partners, and customers) including marital status, age, birth date, race, and buying habits.
  2. Confidential business information that does not warrant sensitive-enhanced protection including trade secrets, proprietary information, financial information, contractor bid or proposal information, and source selection information.
  3. Data susceptible to fraud including accounts payable, accounts receivable, payroll, and travel reimbursement.
  4. Information illustrating or disclosing information resource protection vulnerabilities, or threats against persons, systems, operations, or facilities such as physical, technical or network/DMZ/enclave/mainframe/server/workstation specifics including security settings, passwords, and audit logs.

3-2.3.4 Nonsensitive Information

Information that is not designated as classified, sensitive-enhanced, or sensitive information is by default designated as nonsensitive information. An example is publicly available information. Even though information is designated as nonsensitive information, it must still be protected (i.e., baseline requirements apply to all Postal Service information). Nonpublicly available information must not be sent over the Internet unprotected (e.g., unencrypted).

3-2.3.5 Critical (High) Information

Information is designated as critical (high) information if its unavailability would have a catastrophic adverse impact on the following:

  1. Customer or employee life, safety, or health.
  2. Payment to suppliers or employees.
  3. Revenue collection.
  4. Movement of mail.
  5. Communications.
  6. Legal or regulatory.

3-2.3.6 Critical (Moderate) Information

Information is designated as critical (moderate) information if its unavailability would have a serious adverse impact on the following:

  1. Customer or employee life, safety, or health.
  2. Payment to suppliers or employees.
  3. Revenue collection.
  4. Movement of mail.
  5. Communications.
  6. Legal or regulatory.
  7. Infrastructure services.

3-2.3.7 Noncritical Information

Information that is not designated as critical (high) or critical (moderate) is by default designated as noncritical.