Abstract
This publication provides guidance to agencies for identifying PII and determining the appropriate level of protection for it. It also suggests controls to provide that level of protection and gives recommendations for developing breach response plans. The risk-based approach means that agencies should put the bulk of their efforts into protecting the most critical information.