Data Classification Practices

A critical factor for achieving success in any business is the ability to share information and collaborate effectively and efficiently while satisfying the security and privacy requirements for protecting that information. Conventional network-centric security measures are increasingly ineffective for protecting information as systems become more dispersed, mobile, dynamic, and shared across different environments and subject to different types of stewardship. Data classification practices enable data governance processes at scale.

Implementing Data Classification Practices

This project will demonstrate how to discover, identify, and label unstructured data using commercially available technology.
Status: Preparing Draft

The project is currently focused on lab demonstrations using collaborator tools to characterize, label, and tag unstructured data. 

The following publications provide an initial draft executive summary of the project and an initial draft exploring the terminology and concepts that frame the project’s deliverables as we gain insights from our work in the lab. These publications will remain as initial public drafts for now and will be updated in the future as we gain insights from the use of our collaborator tools on unstructured data.

NIST SP 1800-39A: Executive Summary (Preliminary Draft)Document Version NIST SP 1800-39A: Executive Summary (Preliminary Draft)
NIST IR 8496 Data Classification Concepts and Considerations for Improving Data Protection (Initial Public Draft)Web Version NIST IR 8496 Data Classification Concepts and Considerations for Improving Data Protection (Initial Public Draft)

Project Abstract

As part of a zero trust approach, data-centric security management aims to enhance protection of information (data) regardless of where the data resides or who it is shared with. Data-centric security management necessarily depends on organizations knowing what data they have, what its characteristics are, and what security and privacy requirements it needs to meet so the necessary protections can be achieved. Standardized mechanisms for communicating data characteristics and protection requirements are needed to make data-centric security management feasible at scale.

This project will examine a data-centric security management approach based on defining and using data classifications. The project’s objective is to develop technology-agnostic recommended practices for defining data classifications and data handling rulesets and for communicating them to others. This project will inform, and may identify opportunities to improve, existing cybersecurity and privacy risk management processes by helping with communicating data classifications and data handling rulesets. It will not replace current risk management practices, laws, regulations, or mandates.

This project will result in a freely available NIST Cybersecurity Practice Guide.

Data-centric security management necessarily depends on organizations knowing what data they have, what its characteristics are, and what security and privacy requirements it needs to meet so the necessary protections can be achieved.

Read the Project Description

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

Join the Community of Interest

Employee speaking on video call with colleagues on online briefing with laptop at home

A Community of Interest (COI) is a group of professionals and advisors who share business insights, technical expertise, challenges, and perspectives to guide NCCoE projects. COIs often include experts, innovators, and everyday users of cybersecurity and privacy technologies. Share your expertise and consider becoming a member of this project's COI. 

Tell us about yourself

First & Last Name