Topics PII & CUI with AI Agents
Series · 6 posts Contact
Transparency

Accuracy Rubric

Compliance content carries real risk when it's wrong. This page lists every factual claim made in this series, its authoritative source, and its verification status. Claims are re-checked whenever a post is updated. If you spot an error, email [email protected] — corrections are applied within 48 hours and logged here.

Legend

Verified
~ Partially verified
Editorial / opinion
Corrected
📊

Confidence score (verified claims only)

95–100% — exact match to cited primary source  ·  85–94% — confirmed with minor caveats  ·  <85% — partially confirmed, context-dependent

Claim-by-claim review

"PII definition: "information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information""

Verified 100% confidence

Source
NIST CSRC Glossary (OMB Circular A-130, NIST SP 800-122)

Exact canonical wording from NIST. Supersedes older OMB M-07-16 phrasing 'identify, contact, or locate'.

"GDPR uses the term 'personal data'; CCPA adds household scope; HIPAA is health-context focused"

Verified 98% confidence

"Sweeney (2000): 87% of Americans identifiable by ZIP code, date of birth, and sex"

Verified 97% confidence

Source
Sweeney, L. (2000). Simple Demographics Often Identify People Uniquely. Carnegie Mellon University, Data Privacy Working Paper 3.

Based on 1990 US Census data. The exact percentage applies to that dataset; the re-identification risk principle is widely confirmed in subsequent research.

"EO 13556 was signed November 4, 2010 and created the CUI program"

Verified 100% confidence

"NARA's ISOO serves as Executive Agent for the CUI program"

Verified 100% confidence

"CUI registry has 20 category groupings"

Verified 99% confidence

Source
NARA CUI Registry Category List

Count as of July 2026: Critical Infrastructure (11), Defense (5), Export Control (2), Financial (10), Immigration (7), Intelligence (8), International Agreements (1), Law Enforcement (17), Legal (11), Natural/Cultural Resources (3), NATO (2), Nuclear (5), Patent (3), Privacy (9), Procurement (3), Proprietary Business (6), Provisional (9), Statistical (4), Tax (4), Transportation (2).

"CUI Privacy category: governed by Privacy Act (5 USC 552a), OMB A-130, OMB M-17-12"

Verified 99% confidence

Source
NARA CUI Registry — Privacy category detail

Banner marking: CUI//SP-PRVCY for specified authorities.

"CUI Export Control: governed by 22 CFR (ITAR) and 15 CFR (EAR)"

Verified 98% confidence

"CUI Legal category: governed by 5 USC 552 and Federal Rules of Civil Procedure"

Verified 92% confidence

Source
NARA CUI Registry — Legal category (11 subcategories)

The governing authorities vary significantly by subcategory. '5 USC 552 and FRCP' covers the General Legal subcategory; others have different statutes. The original post text citing 'ABA Rules, court orders' was imprecise and has been corrected.

"NIST SP 800-171 Rev. 3 is the current version (final May 14, 2024, 97 requirements)"

Verified 100% confidence

Source
NIST SP 800-171 Rev. 3 (May 14, 2024). Rev. 2 withdrawn same date.

Rev. 3 reduced from 110 to 97 requirements vs Rev. 2, introduced Organization-Defined Parameters (ODPs).

"NIST SP 800-171 applies to contractors and subcontractors handling CUI in nonfederal systems"

Verified 100% confidence

"CUI is 'not classified' — it sits below the classified threshold"

Verified 100% confidence

"Prior to EO 13556, more than 100 different markings for sensitive unclassified info existed across the executive branch"

Verified 96% confidence

"Design principle: run deterministic pass (regex + keyword) then model-grounded pass for context-dependent fields"

Editorial / opinion

Source
Author's engineering recommendation — not a regulatory requirement

This is a practical design pattern informed by NLP/ML best practice, not sourced from a specific standard. Labeled as editorial guidance.

Methodology

Each factual claim (regulatory citations, statistics, definitions, authority attributions) is verified against its primary source — the actual statute, executive order, NIST publication, or original research paper — not secondary summaries. Where the primary source is ambiguous, confidence is reduced and the ambiguity is noted.

Editorial claims — design principles, engineering recommendations, and architectural opinions — are labeled as such and are not assigned a confidence score. They reflect the author's engineering judgment and should be evaluated on their merits, not treated as regulatory requirements.

Scope: This rubric covers the factual accuracy of content, not legal advice. Nothing in this series constitutes legal counsel. Consult a qualified attorney for compliance decisions.

← Post 01 Series Overview — End —