Data Classification

A critical factor for achieving success in any business is the ability to share information and collaborate effectively and efficiently while satisfying the security and privacy requirements for protecting that information. Conventional network-centric security measures are increasingly ineffective for protecting information as systems become more dispersed, mobile, dynamic, and shared across different environments and subject to different types of stewardship.

Data-centric security management aims to enhance protection of information (data) regardless of where the data resides or who it is shared with.

The NCCoE aims to make data-centric security management feasible at scale by developing technology-agnostic recommended practices for communicating and safeguarding data protection requirements through data classifications and labels.
Status: Seeking Collaborators

Industry participants and other interested parties are invited to participate in the Data Classification Practices: Facilitating Data-Centric Security Management project. Please review the requirements identified in the Federal Register Notice. Anyone interested in becoming a collaborator should request a Letter of Interest. The NCCoE considers participants who have submitted a completed Letter of Interest on a first-come, first-served basis.

Project Abstract

As part of a zero trust approach, data-centric security management aims to enhance protection of information (data) regardless of where the data resides or who it is shared with. Data-centric security management necessarily depends on organizations knowing what data they have, what its characteristics are, and what security and privacy requirements it needs to meet so the necessary protections can be achieved. Standardized mechanisms for communicating data characteristics and protection requirements are needed to make data-centric security management feasible at scale. 

This project will examine a data-centric security management approach based on defining and using data classifications. The project’s objective is to develop technology-agnostic recommended practices for defining data classifications and data handling rulesets and for communicating them to others. This project will inform, and may identify opportunities to improve, existing cybersecurity and privacy risk management processes by helping with communicating data classifications and data handling rulesets. It will not replace current risk management practices, laws, regulations, or mandates.  

This project will result in a freely available NIST Cybersecurity Practice Guide.  

Data-centric security management necessarily depends on organizations knowing what data they have, what its characteristics are, and what security and privacy requirements it needs to meet so the necessary protections can be achieved. 

Join the Community of Interest

A Community of Interest (COI) is a group of professionals and advisors who share business insights, technical expertise, challenges, and perspectives to guide NCCoE projects. COIs often include experts, innovators, and everyday users of cybersecurity and privacy technologies. Members typically meet monthly by teleconference. Share your expertise and consider becoming a member for this project's COI. 

Request to join
Employee speaking on video call with colleagues on online briefing with laptop at home