Data Classification

Download the Project Description & Comment

The NCCoE has released the draft project description, Data Classification Practices: Facilitating Data-Centric Security. Use the buttons below to view publication or to comment.

Download the PDF » Comment »

Current Status

We are seeking your feedback on our recently released draft project description, Data Classification Practices: Facilitating Data-Centric Security. We encourage organizations to review the draft and provide feedback for possible incorporation into the project description before the public comment period closes on June 21, 2021.

Questions and comments on this publication may be submitted to


As part of a zero trust approach, data-centric security management aims to enhance protection of information (data) regardless of where the data resides or who it is shared with. Data-centric security management necessarily depends on organizations knowing what data they have, what its characteristics are, and what security and privacy requirements it needs to meet so the necessary protections can be achieved. Standardized mechanisms for communicating data characteristics and protection requirements are needed to make data-centric security management feasible at scale.

This project will examine such an approach based on defining and using data classifications. The project’s objective is to develop technology-agnostic recommended practices for defining data classifications and data handling rulesets and for communicating them to others. This project will inform, and may identify opportunities to improve, existing cybersecurity and privacy risk management processes by helping with communicating data classifications and data handling rulesets. It will not replace current risk management practices, laws, regulations, or mandates.