NIST SPECIAL PUBLICATION 1800-39A

Implementing Data
Classification Practices
Volume A:
Executive Summary

William Newhouse
Murugiah Souppaya
National Institute of Standards and Technology
Gaithersburg, Maryland

John Kent
Ken Sandlin
The MITRE Corporation
McLean, Virginia

Karen Scarfone
Scarfone Cybersecurity
Clifton, Virginia

April 2023

PRELIMINARY DRAFT

This draft was updated on May 2, 2023

This publication is available free of charge from

https://www.nccoe.nist.gov/data-classification
1 Executive Summary
2 Organizations are managing an increasing volume of data while maintaining compliance with policies for
3 protecting that data. Those policies are driven by business, regulatory, data security, and privacy
4 requirements. This publication can help organizations reduce the risk of data breaches, loss, and
5 mishandling through data-centric security management by demonstrating how to discover and classify
6 data based on its characteristics regardless of where the data resides or how it is shared. As part of a
7 zero-trust approach, security management depends on organizations knowing what data they have,
8 what the data’s characteristics are, and the organization’s security and privacy requirements for that
9 data. The example solutions in this guide focus on using data classification in various use cases to inform
10 the protection of data that is used by an organization and shared between organizations. The guide’s
11 use cases will demonstrate commercially available products that enable data classification. The first use
12 case focuses on classifying data used in email messages exchanged within and between organizations.

13 This 1800-series National Institute of Standards and Technology (NIST) publication documents how the
14 National Cybersecurity Center of Excellence (NCCoE) and its collaborators are using commercially
15 available technology to build interoperable data classification solutions for use cases. As the project
16 progresses, this preliminary draft will be updated with supporting guidance, and additional use cases
17 and volumes will also be released to solicit public comment.

18 CHALLENGE
19 Significant challenges that have hindered effective use of data classification for protecting data include:

20 ▪ The limited nature of actionable and interoperable standards for data classification across
21 different regulated industry sectors means that many organizations do not use classifications
22 that are consistent with those of their partners and suppliers to support various policies.
23 ▪ The lack of shared data classification schemes can result in data being classified and labeled
24 inconsistently.
25 ▪ Data being widely distributed across data centers, clouds, and endpoint devices complicates the
26 process of establishing and maintaining data inventories.
27 ▪ Data classifications and data handling requirements often change during the data lifecycle,
28 requiring the capability to adjust to those changing requirements.
29 ▪ Organizational culture may not connect its data owners and business process owners with its
30 data classification technology operators.

This practice guide can help your organization:

▪ Adopt, support, and implement interoperable data classification schemas
▪ Mitigate the security and privacy risks of sharing data within and among organizations
▪ Become familiar with commercially available solutions that can help classify data
▪ Develop and strengthen a common language for data classification

NIST SP 1800-39A: Implementing Data Classification Practices 1

 PRELIMINARY DRAFT

31 SOLUTION
32 The NCCoE is collaborating with technology providers to build several example data classification
33 solutions and demonstrate their ability to meet organizational data classification needs. The project’s
34 objective is to define product-agnostic recommended practices for defining data classification schemes
35 and communicating them to others. Organizations will also be able to use the recommended practices
36 to inventory and characterize data for other security management purposes, such as prioritization of
37 data in preparing the migration of systems, applications, and services to support post-quantum
38 cryptographic algorithms.

39 For the first example solution, the use case involves the creation, transmission, storage, and retrieval of
40 email. The solution focuses on the classification and exchange of email messages and attachments
41 within and among multiple organizations. Additional volumes of this publication will be released in the
42 future. Volumes will document how organizations can apply zero-trust-aligned approaches to solve the
43 challenge of exchanging data via email using data classification techniques. Future volumes will include
44 data classification guidance, example solution architectures, demonstrations of the technology, and
45 mapping relationships to support various government and industry-recommended practices.

46 Our solution strategy follows an agile implementation methodology to build iteratively and
47 incrementally while adapting or adding capabilities. Additional data classification use cases will be
48 examined to address an increasing number of requirements and resource types.

49 The following collaborators are working with NIST on this project.

Collaborators
ActiveNav Janusnet Thales Trusted Cyber Technologies
Adobe JPMorgan Chase & Co. Trellix
GitLab Quick Heal Virtru
Google

50 While the NCCoE is using a suite of commercial products to address this challenge, this guide does not
51 endorse these particular products, nor does it guarantee compliance with any regulatory initiatives. Your
52 organization's information security experts should identify the products that will best integrate with
53 your existing tools and IT system infrastructure. Your organization can adopt this solution or one that
54 adheres to these guidelines in whole, or you can use this guide as a starting point for tailoring and
55 implementing parts of a solution.

56 HOW TO USE THIS GUIDE

57 Depending on your role in your organization, you might use this guide in different ways:
58 Business decision makers, including chief information security, business security officers, and
59 technology officers can use this part of the guide, NIST SP 1800-39a: Executive Summary, to understand
60 the drivers for the guide, the cybersecurity challenge we address, our approach to solving this challenge,
61 and how the solution could benefit your organization.

62 Future releases of this publication will include guidance to assist people in the following roles:

NIST SP 1800-39A: Implementing Data Classification Practices 2

 PRELIMINARY DRAFT

63 Technology, security, and privacy program managers who are concerned with how to identify,
64 understand, assess, and mitigate risk will be able to use NIST SP 1800-39b: Approach, Architecture, and
65 Security Characteristics, which will describe what we built and why, including the risk analysis performed
66 and the security/privacy control mappings once it is published.
67 IT professionals who want to implement an approach like this will be able to make use of NIST SP 1800-
68 39c: How-To Guides, which will provide specific product installation, configuration, and integration
69 instructions for building the example implementations, allowing you to replicate all or parts of this
70 project once it is published.

71 SHARE YOUR FEEDBACK

72 Help the NCCoE make this guide better by sharing your thoughts with us as you read the guide. If you
73 adopt this solution for your own organization, please share your experience and advice with us. We
74 recognize that technical solutions alone will not fully enable the benefits of our solution, so we
75 encourage organizations to share lessons learned and best practices for transforming the processes
76 associated with implementing this guide.

77 To provide comments, contact the NCCoE at data-nccoe@nist.gov.

78
79 COLLABORATORS
80 Collaborators participating in this project submitted their capabilities in response to an open call in the
81 Federal Register for all sources of relevant security capabilities from academia and industry (vendors
82 and integrators). Those respondents with relevant capabilities or product components signed a
83 Cooperative Research and Development Agreement (CRADA) to collaborate with NIST in a consortium to
84 build this example solution.

85 Certain commercial entities, equipment, products, or materials may be identified by name or company
86 logo or other insignia in order to acknowledge their participation in this collaboration or to describe an
87 experimental procedure or concept adequately. Such identification is not intended to imply special
88 status or relationship with NIST or recommendation or endorsement by NIST or NCCoE; neither is it
89 intended to imply that the entities, equipment, products, or materials are necessarily the best available
90 for the purpose.

NIST SP 1800-39A: Implementing Data Classification Practices 3