28 C.F.R. § 16.51
(a) Each component shall establish and maintain administrative, technical, and physical controls consistent with applicable Department and Government-wide laws, regulations, policies, and standards, to ensure the security and confidentiality of records, and to protect against reasonably anticipated threats or hazards to their security or integrity, including against any reasonably anticipated unauthorized access, use, or disclosure, which could result in substantial harm, embarrassment, inconvenience, or unfairness to individuals about whom information is maintained. The stringency of these controls shall correspond to the sensitivity of the records that the controls protect. At a minimum, each component shall maintain administrative, technical, or physical controls to ensure that: