Many of NIST's cybersecurity and privacy publications are posted as drafts for public comment. Comment periods are still open for the following publications. Visit the links for downloads, related content, and instructions for submitting comments. Your thoughtful reviews and comments are greatly appreciated and help us to improve our standards and guidance. https://csrc.nist.gov/CSRC/media/feeds/pubs/drafts-open-for-comment.xml 2026-03-12T09:00:39Z https://csrc.nist.gov/CSRC/Media/images/CSRC-white-134-38.png https://csrc.nist.gov/pubs/sp/1800/39/ipd

<p>This guide,&nbsp;<em>Data Classification Practices</em>, demonstrates how organizations can discover, identify, and label unstructured data using data classification practices. Performing Data Classification Practices allows an organization to know its data and apply technologies that minimize the risk of valuable or sensitive data being lost or mismanaged. Data Classification Practices prepare an organization for the use of emerging security measures&mdash;including Zero Trust Architecture, quantum-safe cryptography, and AI model training that requires labeled data. This 1800-series NIST publication documents how the NCCoE and its collaborators created a synthetic dataset and used commercially available data classification tools to discover, identify, and label unstructured data.<o></o></p> <p><b>Background<o></o></b></p> <p>Organizations trying to protect sensitive data from unauthorized access or disclosure need to understand all their data&mdash;structured and unstructured&mdash;across all the places that data might live. Sensitive data, such as PII, may reside in a variety of systems, digital conversations, data lakes, and file repositories. Identifying and classifying sensitive data is crucial for minimizing data loss and preparing organizations for advanced security measures, including Zero Trust Architecture, quantum-safe cryptography, and AI model training. <o></o></p> <p>The goal of this project is to demonstrate data classification practices for identifying and understanding sensitive unstructured data. This NIST Cybersecurity Practice Guide provides users with the information they need to apply data classification practices to discover, identify, and label sensitive unstructured data using commercially available data classification technology. By doing so, organizations can better understand their data and minimize the risk of losing or mismanaging valuable or sensitive data.</p> <p>The public comment period ends on <strong>March&nbsp;30, 2026.</strong></p>

2026-02-12T00:00:00-05:00 2026-02-12T00:00:00-05:00 Comments Due 03/30/2026 https://csrc.nist.gov/pubs/other/2026/02/05/accelerating-the-adoption-of-software-and-ai-agent/ipd

<p>The NIST National Cybersecurity Center of Excellence is interested in launching a project to demonstrate how identity standards and best practices can be applied to software agents, with a focus on agentic AI applications.<o></o></p> <p>Artificial Intelligence (AI) technology brings great opportunities to organizations. Specifically, AI agents&mdash;software systems that use data and algorithms to autonomously perform tasks&mdash;offer the promise of improved productivity, efficiency, and decision-making in complex scenarios. However, realizing these benefits requires understanding the potential risks from giving AI agents access to diverse data sets, tools, and applications, and applying appropriate identification and authorization controls to mitigate these risks. &nbsp;<o></o></p> <p><strong>We Need Your Feedback</strong><o></o></p> <p>To help the community provide input on this potential project, the NCCoE has released a concept paper, <em>Accelerating the Adoption of Software and Artificial Intelligence Agent Identity and Authorization</em>, outlining considerations for a potential NCCoE project focused on applying identity standards and best practices to AI agents.<o></o></p> <p>The concept paper provides an overview of the types of feedback that would be most helpful, such as:<o></o></p> <ul> <li>Use Cases: How are organizations currently using or planning to use AI agents?<o></o></li> <li>Challenges: What new and unique problems do AI agents bring compared to other software?<o></o></li> <li>Standards: What current or emerging standards are being used to guide AI agent identity and access management?<o></o></li> <li>Technologies: What technology is being used or planned to support AI agents?<o></o></li> <li>More detailed questions on the identification, authorization, auditing and non-repudiation of AI agents, as well as controls to prevent and mitigate prompt injection techniques.<o></o></li> </ul> <p><strong>How to Submit Feedback</strong><o></o></p> <p>This concept paper is open for public comment through <strong>April 2, 2026</strong>. We encourage you to visit our project page for more details and instructions to submit comments. We appreciate your feedback to inform the NCCoE&rsquo;s work to accelerate the adoption of secure technologies.<o></o></p>

2026-02-05T00:00:00-05:00 2026-02-05T00:00:00-05:00 Comments Due 04/02/2026