CDC has revised the policy titled Sensitive But Unclassified Information. The purpose of this revision is to provide policy and procedures that allow CDC to accomplish its public health mission while safeguarding data and documents that are sensitive enough to require protection but that may not otherwise be designated as classified information. This policy contains guidance on:
To go directly to the policy, enter the following [CDC Intranet] URL into the location line of your browser: http://intraspn.cdc.gov/maso/policy/Doc/policy464.htm The Office of Security and Emergency Preparedness is the proponent for this policy. If you have questions or comments about this policy, you may contact policy analyst Tom Jones at 404-498-1516, or send an e-mail message to the CDC Policy e-mailbox. James D. Seligman
- Establishment of coordinating center and national center- and office-level document control officers.
- Policy and procedures for document control officers to review and designate documents as sensitive but unclassified.
- Storage, dissemination, and protection requirements of sensitive but unclassified information.
- Roles and responsibilities regarding implementation of the program.
Chief Information Officer
SENSITIVE BUT UNCLASSIFIED INFORMATION
I. PURPOSE AND SCOPE
The purpose of this issuance is to provide policy and procedures that allow the Centers for Disease Control and Prevention (CDC) to accomplish its public health mission while safeguarding data and documents that are sensitive enough to require protection but that may not otherwise be designated as classified information.
This policy applies to all employees, fellows, guest researchers, attached uniformed service members (United States Public Health Service [USPHS] Commissioned Corps, Department of Defense employees, and service members) contractors, subcontractors, or any other individual working at CDC or under the auspices thereof.
CDC is required by OMB Circular A-130, Management of Federal Information Resources, to
“Protect government information commensurate with the risk and magnitude of harm that could result from the loss, misuse, or unauthorized access to or modification of such information.”
Security programs and procedures already exist to protect classified matters. However, information generally available to the public as well as certain detectable activities may reveal the existence of, and sometimes details about, classified or sensitive information or undertakings. Such indicators may assist those seeking to neutralize or exploit U.S. Government actions (National Security Decision Directive Number 298). This policy is intended to minimize this risk.
III. ACRONYMS AND DEFINITIONS
A. For the purposes of this policy, the following acronyms apply:
1. CC/CO – coordinating centers and coordinating offices
2. CISO – Chief Information Security Officer
3. DCO – document control officer
4. HHS – Department of Health and Human Services
5. FOIA – Freedom of Information Act
6. ITSO – Information Technology Services Office
7. NC – national center
8. NSDD – National Security Decision Directive
9. OSEP - Office of Security and Emergency Preparedness
10. SDT – HHS Office of Security and Drug Testing
11. SBU – sensitive but unclassified
B. For the purposes of this policy, the following definitions apply:
1. Document control officer
a. NC- and office-level DCO – Employees at the NC or office level who are given responsibility by their NC or office director for the proper maintenance of records related to monitoring, safeguarding, storing, transmitting, and destroying information that is categorized as SBU in compliance with NSDD-189, National Policy on the Transfer of Scientific, Technical, and Engineering Information.
b. CC/CO DCO – Employees at the CC/CO-level who are given responsibility by their CC/CO director to review decisions made and/or to provide guidance to the NC or office DCO level.
c. OSEP DCO – When questions of sensitivity arise that cannot be decided at the NC, office, or CC/CO levels, the OSEP DCO shall serve as the final approval authority. The OSEP DCO shall also be responsible for conducting necessary training related to this policy.
2. Electronic media
Electronic media include magnetic tape reels, disk packs, diskettes, compact discs, removable hard disks, disk cartridges, optical disks, paper tape, reels, magnetic cards, tape cassettes, micro cassettes, videotapes, and any other device on which data are stored and that normally is removable from the system by the user or operator.
3. Exclusion area
An exclusion area is a security area with barriers that identify the boundaries and encompass the designated space and includes access controls and intrusion detection to provide reasonable assurance that only authorized personnel are allowed to enter and exit the area without escort. Access to an exclusion area requires a proximity card, access authorization, and a demonstrated need to know. The CDC’s current and proposed select agent laboratories are designated as exclusion areas.
4. Export controlled information or material
Export controlled information or material is information or material that cannot be released to foreign nationals or representatives of a foreign entity without first obtaining approval or license from the Department of State. This pertains to items controlled by the International Traffic in Arms Regulations or the Department of Commerce and includes items controlled by the Export Administration Regulations. Export controlled information must be controlled as SBU information and marked accordingly.
5. Freedom of Information Act
The law that requires the release of publicly requested information with several exceptions:
a. Exemption 1: Information that is currently and properly classified.
b. Exemption 2: Information that pertains solely to the internal rules and practices of the agency and disclosure of which would allow circumvention of agency regulations.
c. Exemption 3: Information specifically exempted by a statute establishing particular criteria for withholding. The language of the statute must clearly state that the information will not be disclosed.
d. Exemption 4: Information such as trade secrets and commercial or financial information obtained from a company on a privileged or confidential basis that, if released, would result in competitive harm to the company, impair the government's ability to obtain like information in the future, or impair the government's interest in compliance with program effectiveness.
e. Exemption 5: Intra-agency memoranda that are deliberative in nature. This exemption is appropriate for internal documents that are part of the decision-making process and contain subjective evaluations, opinions, and recommendations.
f. Exemption 6: Information that, if released, could reasonably be expected to constitute a clearly unwarranted invasion of the personal privacy of individuals.
g. Exemption 7: Records or information compiled for law enforcement purposes that:
i. could reasonably be expected to interfere with law enforcement proceedings;
ii. would deprive a person of a right to a fair trial or impartial adjudication;
iii. could reasonably be expected to constitute an unwarranted invasion of personal privacy of others;
iv. discloses the identity of a confidential source;
v. discloses investigative techniques and procedures; or
vi. could reasonably be expected to endanger the life or physical safety of any individual.
h. Exemption 8: Certain records of agencies responsible for supervision of financial institutions.
i. Exemption 9: Geological and geophysical information concerning wells.
6. Limited area
A limited area is a security area residing within the property protection area (see definition of property protection areas) with barriers that identify its boundaries and encompass the designated space. The perimeter of a building often defines the boundaries of a limited area. It has access controls and intrusion detection in place to provide reasonable assurance that only authorized personnel are allowed to enter and exit the area without escort. Access to a limited area requires a proximity card and access authorization.
7. Property protection areas
Property protection areas are defined by the outermost perimeter of the CDC facility, and this security area is established to protect against damage, destruction, and theft of CDC-owned property. At the Roybal site, the perimeter fence establishes the property protection area; it defines the boundaries of the Roybal Campus and controls personnel and vehicle access.
8. Proprietary Information
Proprietary information is information such as trade secrets and commercial or financial information obtained from a company on a privileged or confidential basis that, if released, would result in competitive harm to the company, impair the government's ability to obtain like information in the future, or impair the government's interest in compliance with program effectiveness.
9. Sensitive but unclassified
The “sensitive but unclassified” designation is applied to unclassified information that may be exempt from mandatory release to the public under FOIA. (For the nine FOIA exemptions, see the FOIA definition in this section.) SBU is the formal designation for information that, by law or regulation, requires some form of protection but is outside the formal system of classification, in accordance with Executive Order 12958, as amended.
10. Special exclusion area
A special exclusion area is a security area with barriers that identify its boundaries and encompass the designated space. Further, it includes access controls to provide reasonable assurance that only authorized personnel are allowed to enter and exit the area without escort. Access to a special exclusion area requires a proximity card, access authorization, demonstrated need to know, and intrusion detection. Personnel authorized for access to these areas are required to hold the appropriate level of security clearance.
All CDC employees and otherwise affiliated persons shall protect SBU information by following the procedures contained in this policy document and/or related policies of CDC, HHS, Executive Orders, other Presidential Directives, United States Federal Court rulings, and applicable laws of the United States of America.
A. Responsibilities of CDC OSEP Director (or the director’s designee) with regard to SBU information
1. Appoint one or more OSEP DCO(s) to implement this policy and procedures.
2. Conduct SBU training.
3. Provide guidance and advice to CC/CO and NC and office DCOs.
4. Form an appeal board, as needed, to render timely judgments concerning appeals to sensitivity determinations.
5. Forward challenges to sensitivity decisions to the SDT.
B. Responsibilities of CC/CO directors (or their designees) with regard to SBU information
Each CC/CO director (or the CC/CO director’s designee) shall appoint one or more CC/CO DCO(s) to review decisions made at the NC or office DCO level and to provide guidance to NC and office DCOs.
C. Responsibilities of NC and office directors (or their designees) with regard to SBU information
Each NC or office director (or the NC or office director’s designee) shall appoint one or more NC or office DCO(s) to review all submitted materials; render a sensitivity determination; and maintain records related to monitoring, safeguarding, storing, transmitting, and destroying information that is categorized as SBU in conformance with NSDD-189, National Policy on the Transfer of Scientific, Technical, and Engineering Information.
D. Responsibilities of NC and office DCO(s) with regard to SBU information
The NC and office DCO(s) shall review all submitted materials and render a sensitivity determination in accordance with this policy and applicable other laws, orders, rules, and regulations. Sensitivity determinations shall be documented in writing. Files will be maintained in accordance with the CDC Records Control Schedule.
NC- and office-level DCOs are responsible for reviewing and approving information for internal release, Web site content, and to clear policies and procedures for posting on the Intranet.
NC- and office-level DCOs are authorized to make sensitivity determinations ensuring that certain information is not for public release, and that information should be marked as SBU. However, any request for information from the public must be forwarded to the FOIA office for a determination and response.
E. Responsibilities of CC/CO DCO(s) with regard to SBU information
The CC/CO DCO(s) shall review decisions made by the NC or office DCO, as necessary, and will provide guidance to the NC or office DCO, as appropriate.
F. Responsibilities of OSEP DCO(s) with regard to SBU information
The OSEP DCO(s) shall implement this policy and related procedures; conduct necessary training; and provide guidance and advice to CC/CO and NC or office DCOs. When questions of sensitivity arise that cannot be decided upon at the NC, office, or CC/CO level, the OSEP DCO shall serve as the final decision-making authority.
G. Responsibilities of supervisors with regard to SBU information
Supervisors shall ensure that only authorized individuals – as identified in this policy –have access to SBU information. On an annual basis, and more often if necessary, supervisors shall inform their employees of the need to protect SBU information and of the requirement to have all documents that they create that might contain SBU should be sent to the NC- or office-level DCO(s) for a sensitivity determination. Supervisors shall enforce the procedures of this policy among their employees and within the work spaces for which they are responsible. Supervisors shall report suspected or known violations of this policy or procedures to the CC/CO DCO(s) immediately.
H. Responsibilities of employees and affiliated persons with regard to SBU information
Employees and affiliated persons, as provided in Section I of this policy, shall become knowledgeable of this policy and procedures and comply with the requirements established.
I. Responsibilities of CDC FOIA Officer with regard to SBU information
The CDC FOIA Officer shall provide advice, assistance, policy, and technical guidance on FOIA SBU issues to DCOs and management, as needed. The CDC FOIA Officer will obtain a sensitivity determination prior to a final FOIA decision to release or deny CDC records to the public.
J. Responsibilities of CDC CISO with regard to SBU information
The CDC CISO shall provide advice, assistance, policy, and technical guidance on information systems security with emphasis on Federal Information Security and Management Act of 2002, and the Computer Security Act of 1987.
The following procedures should be followed with regard to SBU:
A. Review and approval of information prior to public release
The CC/CO and NC- or office-level DCOs are authorized to review and approve information for posting on the CDC Intranet Web site and to make sensitivity determinations to ensure that certain information is not for public release and that the information is marked as SBU.
CC/CO and NC- or office-level DCOs are responsible for establishing submission procedures and making these procedures known to affected personnel.
Marking information SBU does not automatically qualify it for a public release exemption. If a public request for a SBU document is received, the information should be reviewed by the CC/CO DCO to determine if it actually qualifies for exemption. However, only the CDC FOIA Officer is delegated the authority to approve withholding information requested by the public under FOIA.
In reviewing documents, the absence of the SBU or other related marking does not necessarily mean the information should be publicly released. Some types of records (e.g., most human resources and financial information) are not normally marked SBU but may still qualify for withholding under FOIA, unless otherwise authorized for release by the individual. Therefore, all information should be reviewed and approved prior to its public release.
The requirement for a sensitivity review applies equally to hard copy and electronic documents. Electronic documents that require sensitivity review include, but are not limited to, submissions to online publications; documents that are drafted or stored on a publicly accessible home page; and submissions to another Internet site, regardless of site or location.
When any portion of information proposed to be disclosed "might" be covered by a nondisclosure agreement, there must be no steps taken toward public disclosure until written permission from the OSEP DCO is received. This is a lifetime obligation that remains in effect as long as the information remains sensitive.
B. Pre-publication review of Web site content
Information on the Internet may be intended for a limited audience; however, it actually becomes available to a world-wide audience. The World Wide Web was not designed with security in mind, and unencrypted information is at high risk of compromise. CDC CISO and ITSO guidelines take into account what security access controls, if any, are in effect for specific sites, the sensitivity of the information, and the target audience to which the information is intended.
Most types of SBU information shall not go on a Web site unless that site is protected by encryption.
Before putting unmarked information on a Web site, the information should receive a sensitivity review by the NC or office DCO and/or the CC/CO DCO to which the information belongs. The CC/CO director or the director’s representative may also conduct a review of the information.
CDC sensitivity determinations and classification decisions require that when judgments are made that consideration should be given to the potential consequences of aggregation. The term "sensitive by aggregation" refers to the fact that information on one Web site may seem unimportant, but, when combined with information from other Web sites, it may form a larger and more complete picture than was intended or desired. Similarly, the compilation of a large amount of information together on one site may increase the sensitivity of that information and make it more likely that the Web site will be accessed by those seeking information that can be used against CDC.
Personal information – such as addresses; telephone numbers, other than those readily available to the public; social security numbers; dates of birth; names of family members in biographical summaries, etc. – should not be posted on the Internet.
C. Sensitivity decision and notification
If a sensitivity decision is in question after review by the NC- or office-level DCO and the CC/CO DCO, the decision should be referred by the CC/CO DCO to the OSEP DCO via e-mail or inter-office mail. The OSEP DCO shall issue a decision within 15 working days as to the sensitivity of information of a draft document. If a decision cannot be made, or if it is determined that the information should be classified, the document will be sent to either a security review panel at CDC OSEP and/or forwarded to SDT for a sensitivity determination. The originator will be promptly notified as to the status of the document by the OSEP DCO.
D. Appeal of sensitivity decision
Sensitivity determinations may be appealed by a formal written request via e-mail or inter-office mail from the originator through the affected CC/CO director and sent to the Director of OSEP for a final determination.
E. Categories of SBU Information
Sensitive information consists of any information exempted from FOIA and includes, but is not limited to, information related to personnel, security, and select agents.
Examples include, but are not limited to:
General personnel information such as evaluation and performance data; security information, including background investigation results and adjudication, and infractions/incident reports; personal information, when associated with an individual’s work on topics where security is involved (e.g., names and details of those working with select agents, classified data, counterintelligence) or with those individuals who are authorized to have a level of access beyond the average CDC employee/contractor/visitor.
Facility blueprints and other detailed facility information; databases associated with the physical security system; vulnerabilities of such facilities or sensitive information; network security information; security procedures; access codes (combinations or passwords); badge design information; security audit results; physical security performance test results; results of response force exercises; incident reports and disciplinary actions; response force capabilities; and security plans.
3. Select agents
Databases and lab records associated with the select agent program including, but not limited to, inventory databases and chain of custody records; select agent transfer records; documentation associated with an experiment resulting in an unexpected result banned by 9 CFR § 121.10; and information deemed too sensitive for public release by a review and approval panel.
F. SBU mandatory release exemptions under FOIA
Information in either electronic or hard copy form determined to be SBU must fall within one or more of the nine FOIA exemption categories identified in Section II. B. 5. to be exempt from mandatory release to the public.
G. SBU personnel access requirements
citizen direct-hire supervisory employees are responsible for access, dissemination, and release of SBU material. Employees will limit access to protect SBU information from unintended public disclosure. United States
Employees may circulate SBU materials to others, including non-United States citizens, to carry out an official United States Government function, if not otherwise prohibited by law, regulation, or interagency agreement.
H. SBU safeguarding and storage requirements
1. Protection of SBU information while in use
Reasonable precautions should be taken to prevent access to sensitive information by persons who do not require the information to perform their jobs (e.g., sensitive documents should not be read in a public place or taken home).
2. Storage rules for SBU information
Sensitive information, both in hard copy and electronic form, should be physically protected and should be stored in limited areas. Exclusion areas and special exclusion areas are also acceptable storage locations, but high containment laboratories should only be used as storage areas for sensitive information when absolutely necessary. Storing sensitive information in a property protection area or a public area is only acceptable if additional protections are taken to increase protection to a level comparable to that in a limited area.
All sensitive information existing in hard copy should be stored within a locked container in a limited or exclusion area, an access controlled electronic environment, or under the physical control of an authorized individual. On occasions when an individual is traveling within the
and limited or exclusion areas are not available, a locked container within a locked room will suffice (e.g., locked briefcase or suitcase within a locked hotel room or vehicle). Sensitive information should not be taken outside the United States . United States
Information handled electronically and transmitted over the network is at a higher risk of being released or altered. Sensitive information stored on the CDC network should be protected at a level that can ensure that only those who are authorized to view the information are allowed access (e.g., machine-generated passwords, encryption). The CDC network systems should maintain a high level of electronic protection (e.g., firewalls, intrusion detection, defense-in-depth, isolation of sensitive information, good practices network administration) to ensure the integrity of sensitive information and to prevent unauthorized access into these systems. Regular review of the protection methods used and system auditing are also critical to maintain protection of these systems.
The physical elements of the network systems that store and transmit sensitive information or that have direct access to sensitive information should be secured within a limited area or exclusion area. The more central the information resource is (e.g., a network or security system control room), the higher the level of access control that should be applied.
I. SBU marking requirements
Information that has been determined to be SBU should be designated as SBU with the following appropriate markings and labels:
Documents containing sensitive information should be covered with a “Sensitive But Unclassified” cover page, and the outside of the back cover should be marked “Sensitive But Unclassified.”
Internal pages of the document should be marked “Sensitive But Unclassified” at the top and bottom of each page in letters clearly distinguishable from the text. The acronym SBU may be used when space does not permit spelling out “Sensitive But Unclassified.”
The first page should contain the following statement at the lower left hand corner and should be completed with the applicable FOIA exemption number(s):
“Sensitive But Unclassified (SBU)
This document contains information that may be exempt from public release under the Freedom of Information Act (FOIA) (5 U.S.C. 552),exemption(s) ______ apply. Approval by the Centers for Disease Control and Prevention Document Control Officer, Office of Security and Emergency Preparedness, and the CDC FOIA Officer, prior to public release via the FOIA Office is required.“
2. Electronic media
Electronic media containing sensitive information should be labeled “Sensitive But Unclassified.” The label should be plainly visible and should be applied in a way that does not interfere with the drive mechanism. The outer covering for any of the above removable storage media should also be marked “Sensitive But Unclassified.”
Videotapes should also contain “Sensitive But Unclassified” at the beginning and end of the played video, if possible. Audio cassettes, if possible, should contain an audible statement at the beginning and end of the played portion that informs the listener that the tape contains SBU information.
3. Blueprints, engineering drawings, charts, and maps
Blueprints, engineering drawings, charts, and maps containing sensitive information should be marked “Sensitive But Unclassified - Building Information” or "SBU-BI" at the top and bottom of each page. If the blueprints, drawings, charts, or maps are large enough that they are likely to be rolled or folded, “Sensitive But Unclassified - Building Information” should be placed so that the marking is visible when the item is rolled or folded.
4. Photographs and negatives
Photographs containing sensitive information should be marked “Sensitive But Unclassified” on the face, if possible. If this cannot be done, the marking should be placed on the reverse side. Negatives, positives, or other film containing sensitive information should be marked “Sensitive But Unclassified” on the film itself, if possible; otherwise, it should be protected inside a marked container.
J. Reproduction of SBU information
SBU documents may be reproduced without the permission of the originator to the extent necessary to carry out official CDC activities. Copies should be protected in the same manner as originals. In the event of a copy machine malfunction, the copy machine should be cleared and all paper paths checked for papers containing sensitive information.
K. SBU transfer requirements
1. Communicating sensitive information
Sensitive information may be communicated in the following ways:
From person to person in direct contact with one another; over a land-line telephone; via first class, priority, or overnight mail; via fax machine; via e-mail to and from CDC e-mail addresses that reside completely within the CDC network ([...]@cdc.gov); via e-mail to and/or from an e-mail address outside of the CDC network, provided that the sensitive data is encrypted and authenticated.
2. Discussing sensitive information via telephone or video conference
Although sensitive information may be discussed on landline telephones, sensitive information should not be discussed on cellular phones. Sensitive information should not be transmitted via open network communication channels, including online video conferencing unless such a conference is held on a restricted network.
3. Mailing of sensitive information
Transmission of sensitive information should be done in a manner that informs those with a need-to-know of the level of sensitivity while not advertising the fact to the general public. It is also important to use a reliable means of shipping. These considerations help to avoid unauthorized disclosure or dissemination of sensitive information.
4. Internal mail
Before transmitting sensitive information through the CDC internal mail, the information should have appropriate markings and cover sheet and should be placed in a SBU envelope.
5. External mail
Sensitive information sent outside CDC premises should be transmitted via first class mail, priority, or overnight mail. The outer wrapping should not be marked in a manner that would reveal the contents of the envelope or package to unauthorized personnel.
6. Faxing of sensitive but unclassified Information
Prior to faxing sensitive information, the sender should confirm that an authorized person will be present to accept the transmittal at the receiving end, or the sender should verify that the receiving facility is protected in a manner sufficient to preclude unauthorized access to the transmitted material.
7. Electronic transmission
Sensitive information should be encrypted and authenticated if it is sent from the CDC network to an unsecured (non-CDC) network. Sensitive information should never be communicated over wireless technologies, such as cellular or cordless telephones or wireless data devices (e.g., BlackBerry™ devices).
L. SBU disposal and destruction requirements and methods
Sensitive information should be destroyed by shredding or burning; paper containing sensitive information should not be recycled.
Deleting, erasing, or formatting will not sufficiently remove sensitive information from electronic storage formats. Instead, files should be removed by using multiple passes (10 times minimum) of a hard drive wiping program. Electronic or removable media should be physically damaged to the point of inoperability, via shredding, degaussing, melting, or other such methods before disposal.
A violation of this policy may be cause for punitive administrative action, including termination of employment, dismissal, or discharge from USPHS Commissioned Corps. Further civil and criminal prosecution may be sought under one or more of the laws codified in the United States Code of Federal Regulations.
Marking requirements identified in this policy apply to documents produced after this policy’s implementation date. However, all items, regardless of when they were produced, are subject to the remaining provisions of this policy effective upon the date of this policy’s implementation.
A. CDC Freedom of Information Policy. March 19, 2002.
B. CDC Records Control Schedule. May 15, 1998.
C. Computer Security Act of 1987, Public Law 100-235 (H.R. 145). January 8, 1988.
D. Executive Order 12958, National Security Information. April 17, 1995.
E. Export Administration Regulations. January 27, 2006.
F. Federal Information Security Management Act of 2002. December 2002.
G. Freedom of Information Act. September 18, 1996.
H. International Traffic in Arms Regulations. April 1, 1992.
I. National Institute of Standards and Technology: Computer Security. July 2003.
J. NSDD-189, National Policy on the Transfer of Scientific, Technical, and Engineering Information. September 21, 1985.
K. United States Code of Federal Regulations (1996-present). February 1, 2006.
VIII. ADDITIONAL RESOURCES
A. Arms Export Control Act. 1994.
B. CDC-IR-2002-06, Protection of Information Resources. CDC, April 2002.
C. CDC-IR-2002-03, Classified Material. CDC, April 2002.
D. CDC-IS-2005-03, Use of CDC Information Technology Resources. CDC, August 2005.
E. CDC-AM-2004-02, Procurement Integrity Restrictions. CDC, February 2004.
F. CDC-GA-2005-06, Clearance Of Information Products Distributed Outside CDC for Public Use. CDC, July 2005.
G. CDC-GA-2000-01, Privacy Act. CDC, November 2000.
H. CDC-GA-2002-02, Freedom of Information Act. CDC, March 2002.
I. CDC-GA-1998-01, Export Controls for Biological, Chemical, and Related Technical Data and Equipment. CDC, June 1998.
J. CDC-GA-2000-02, Federal Advisory Committee Meeting Minutes. CDC, December 2000.
K. CDC-GA-2005-14, CDC/ATSDR Policy on Releasing and Sharing Data. CDC, September 2005.
 References to CDC also apply to the Agency for Toxic Substances and Disease Registry (ATSDR).
 For ease of reference within policy documents, “NC” will refer collectively to CDC’s national centers, institute, the National Immunization Program, the Office of Genomics and Disease Prevention, and the Agency for Toxic Substances and Disease Registry (an independent Health and Human Services Agency that is led by the CDC director and for which CDC provides administrative services).