(a) Each component shall establish and maintain administrative, technical, and physical controls consistent with applicable Department and Government-wide laws, regulations, policies, and standards, to ensure the security and confidentiality of records, and to protect against reasonably anticipated threats or hazards to their security or integrity, including against any reasonably anticipated unauthorized access, use, or disclosure, which could result in substantial harm, embarrassment, inconvenience, or unfairness to individuals about whom information is maintained. The stringency of these controls shall correspond to the sensitivity of the records that the controls protect. At a minimum, each component shall maintain administrative, technical, or physical controls to ensure that:

(1) Records are protected from unauthorized access, including unauthorized public access;

(2) The physical area in which records are maintained is supervised or appropriately secured to prevent unauthorized persons from having access to them;

(3) Records are protected from damage, loss, or unauthorized alteration or destruction; and

(4) Records are not disclosed to unauthorized persons or to authorized persons for unauthorized purposes in either oral or written form.

(b) Each component shall establish procedures that restrict access to records to only those individuals within the Department who must have access to those records in order to perform their duties and that prevent inadvertent disclosure of records.

(c) The CPCLO, or a designee of the CPCLO, may impose additional administrative, technical, or physical controls to protect records in consultation with the Chief Information Officer and the Director of the Office of Records Management Policy.