This guide, Data Classification Practices, demonstrates how organizations can discover, identify, and label unstructured data using data classification practices. Performing Data Classification Practices allows an organization to know its data and apply technologies that minimize the risk of valuable or sensitive data being lost or mismanaged. Data Classification Practices prepare an organization for the use of emerging security measures—including Zero Trust Architecture, quantum-safe cryptography, and AI model training that requires labeled data. This 1800-series NIST publication documents how the NCCoE and its collaborators created a synthetic dataset and used commercially available data classification tools to discover, identify, and label unstructured data.
Background
Organizations trying to protect sensitive data from unauthorized access or disclosure need to understand all their data—structured and unstructured—across all the places that data might live. Sensitive data, such as PII, may reside in a variety of systems, digital conversations, data lakes, and file repositories. Identifying and classifying sensitive data is crucial for minimizing data loss and preparing organizations for advanced security measures, including Zero Trust Architecture, quantum-safe cryptography, and AI model training.
The goal of this project is to demonstrate data classification practices for identifying and understanding sensitive unstructured data. This NIST Cybersecurity Practice Guide provides users with the information they need to apply data classification practices to discover, identify, and label sensitive unstructured data using commercially available data classification technology. By doing so, organizations can better understand their data and minimize the risk of losing or mismanaging valuable or sensitive data.
The public comment period ends on March 30, 2026.
Comment Email: [email protected]
