ISC2 Governance, Risk and Compliance (CGRC) Practice Question
While drafting the System Security Plan (SSP) for a new case-management system, you learn that it will store and transmit employees' medical diagnoses and treatment histories. Using the categorization criteria in FIPS 199 and the information-type mappings in NIST SP 800-60, which confidentiality impact level and U.S. CUI marking should you assign to this data before selecting or tailoring security controls?
Low confidentiality impact; mark the data as Public with no special handling label
Moderate confidentiality impact; mark the data Internal Use Only
High confidentiality impact; mark the data as Controlled Unclassified Information (CUI) - Privacy (health information)
Moderate confidentiality impact; mark the data as Controlled Unclassified Information (CUI) under the Privacy category
NIST SP 800-60 identifies medical diagnosis and treatment data as a subtype of personal health information (PHI) and assigns it a High confidentiality impact because unauthorized disclosure could cause severe or catastrophic harm to individuals (for example, loss of employment, denial of insurance, or significant reputational damage). In U.S. federal environments, PHI is also Controlled Unclassified Information within the Privacy category; the standard limited dissemination marking for such data is "CUI//SP-PRVCY." Therefore, the correct classification is High confidentiality impact with the CUI Privacy (health information) marking. Lower impact levels or non-CUI markings would not satisfy federal guidance.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is FIPS 199 and its role in data classification?
Open an interactive chat with Bash
What is Controlled Unclassified Information (CUI) and why is it important in data governance?
Open an interactive chat with Bash
How does NIST SP 800-60 help identify impact levels for specific data types?
Open an interactive chat with Bash
What is the role of FIPS 199 in determining data categorization?
Open an interactive chat with Bash
What is NIST SP 800-60, and how does it aid in identifying information types?
Open an interactive chat with Bash
What does the Controlled Unclassified Information (CUI) marking signify?
Open an interactive chat with Bash
ISC2 Governance, Risk and Compliance (CGRC)
Selection and Approval of Framework, Security, and Privacy Controls
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .