Skip to content Skip to navigation
The University of New Mexico

Security Risk Classification (NIST/CUI/FISMA)

Description of what this means and how it aligns with the Controlled Unclassified Information (CUI) Standards driven by UNM policy....

Low Risk ("P" Class)


Data and systems are classified as Low Risk if:

  • they are not considered to be Moderate or High Risk

  • The data is intended for public disclosure, or

  • The loss of confidentiality, integrity, or availability of the data or system would have no adverse impact on our mission, safety, finances, or reputation.




Moderate Risk ("C" Class)


Data and systems are classified as Moderate Risk if:

  • they are not considered to be High Risk, and:

  • The data is not generally available to the public, or

  • The loss of confidentiality, integrity, or availability of the data or system could have a mildly adverse impact on our mission, safety, finances, or reputation.


High Risk ("E" Class)


Data and systems are classified as High Risk if:

  • Protection of the data is required by law/regulation,

  • UNM is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed, or

  • The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances, or reputation.