Data Classification

A critical factor for achieving success in any business is the ability to share information and collaborate effectively and efficiently while satisfying the security and privacy requirements for protecting that information. Conventional network-centric security measures are increasingly ineffective for protecting information as systems become more dispersed, mobile, dynamic, and shared across different environments and subject to different types of stewardship.

Implementing Data Classification Practices

The NCCoE aims to make data-centric security management feasible at scale by developing technology-agnostic recommended practices for communicating and safeguarding data protection requirements through data classifications and labels.
Status: Reviewing Comments

The public comment period has closed for Data Classification Concepts and Considerations for Improving Data Protection. We are currently reviewing the comments received. Thank you to everyone who shared their feedback with us. 

NIST IR 8496 Data Classification Concepts and Considerations for Improving Data Protection (Draft)Web Version NIST IR 8496 Data Classification Concepts and Considerations for Improving Data Protection (Draft)
NIST SP 1800-39A: Executive Summary (Preliminary Draft - comment period closed)Document Version NIST SP 1800-39A: Executive Summary (Preliminary Draft - comment period closed)

Project Abstract

As part of a zero trust approach, data-centric security management aims to enhance protection of information (data) regardless of where the data resides or who it is shared with. Data-centric security management necessarily depends on organizations knowing what data they have, what its characteristics are, and what security and privacy requirements it needs to meet so the necessary protections can be achieved. Standardized mechanisms for communicating data characteristics and protection requirements are needed to make data-centric security management feasible at scale. 

This project will examine a data-centric security management approach based on defining and using data classifications. The project’s objective is to develop technology-agnostic recommended practices for defining data classifications and data handling rulesets and for communicating them to others. This project will inform, and may identify opportunities to improve, existing cybersecurity and privacy risk management processes by helping with communicating data classifications and data handling rulesets. It will not replace current risk management practices, laws, regulations, or mandates.  

This project will result in a freely available NIST Cybersecurity Practice Guide.  

Data-centric security management necessarily depends on organizations knowing what data they have, what its characteristics are, and what security and privacy requirements it needs to meet so the necessary protections can be achieved. 

Read the Project Description

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

Join the Community of Interest

Employee speaking on video call with colleagues on online briefing with laptop at home

A Community of Interest (COI) is a group of professionals and advisors who share business insights, technical expertise, challenges, and perspectives to guide NCCoE projects. COIs often include experts, innovators, and everyday users of cybersecurity and privacy technologies. Share your expertise and consider becoming a member of this project's COI. 

Tell us about yourself

First & Last Name