Data Classification

Download the Final Project Description

The NCCoE has released the final project description, Data Classification Practices: Facilitating Data-Centric Security. Use the buttons below to view the publication.

Download the PDF »

Current Status

The NCCoE recently released a final project description, Data Classification Practices: Facilitating Data-Centric Security

If you have questions or would like to join our Community of Interest, please email the project team at


As part of a zero trust approach, data-centric security management aims to enhance protection of information (data) regardless of where the data resides or who it is shared with. Data-centric security management necessarily depends on organizations knowing what data they have, what its characteristics are, and what security and privacy requirements it needs to meet so the necessary protections can be achieved. Standardized mechanisms for communicating data characteristics and protection requirements are needed to make data-centric security management feasible at scale.

This project will examine such an approach based on defining and using data classifications. The project’s objective is to develop technology-agnostic recommended practices for defining data classifications and data handling rulesets and for communicating them to others. This project will inform, and may identify opportunities to improve, existing cybersecurity and privacy risk management processes by helping with communicating data classifications and data handling rulesets. It will not replace current risk management practices, laws, regulations, or mandates.