Date Published: May 2021
Comments Due:
Email Questions to:
Author(s)
Karen Scarfone (Scarfone Cybersecurity), Murugiah Souppaya (NIST)
Announcement
The National Cybersecurity Center of Excellence (NCCoE) has released a new draft project description, Data Classification Practices: Facilitating Data-Centric Security. This begins a process to further identify project requirements, scope, and hardware and software components for use in a laboratory environment.
The NCCoE will solicit participation from industry to develop an approach for defining data classifications and data handling rulesets and for communicating them to others. In addition, this project will attempt a basic proof-of-concept implementation that will include limited data discovery, analysis, classification, and labeling capabilities, as well as a rudimentary method for expressing how data with a particular label should be handled for each use case scenario. This project will result in practice guides and other publications to encourage increased standardization and adoption of data classification methods.
Besides providing public comments on the draft, you can join the Community of Interest by sending an email to data-nccoe@nist.gov.
As part of a zero trust approach, data-centric security management aims to enhance protection of information (data) regardless of where the data resides or who it is shared with. Data-centric security management necessarily depends on organizations knowing what data they have, what its characteristics are, and what security and privacy requirements it needs to meet so the necessary protections can be achieved. Standardized mechanisms for communicating data characteristics and protection requirements are needed to make data-centric security management feasible at scale. This project will examine such an approach based on defining and using data classifications. The project’s objective is to develop technology-agnostic recommended practices for defining data classifications and data handling rulesets and for communicating them to others. This project will inform, and may identify opportunities to improve, existing cybersecurity and privacy risk management processes by helping with communicating data classifications and data handling rulesets. It will not replace current risk management practices, laws, regulations, or mandates. This project will result in a freely available NIST Cybersecurity Practice Guide.
As part of a zero trust approach, data-centric security management aims to enhance protection of information (data) regardless of where the data resides or who it is shared with. Data-centric security management necessarily depends on organizations knowing what data they have, what its...
See full abstract
As part of a zero trust approach, data-centric security management aims to enhance protection of information (data) regardless of where the data resides or who it is shared with. Data-centric security management necessarily depends on organizations knowing what data they have, what its characteristics are, and what security and privacy requirements it needs to meet so the necessary protections can be achieved. Standardized mechanisms for communicating data characteristics and protection requirements are needed to make data-centric security management feasible at scale. This project will examine such an approach based on defining and using data classifications. The project’s objective is to develop technology-agnostic recommended practices for defining data classifications and data handling rulesets and for communicating them to others. This project will inform, and may identify opportunities to improve, existing cybersecurity and privacy risk management processes by helping with communicating data classifications and data handling rulesets. It will not replace current risk management practices, laws, regulations, or mandates. This project will result in a freely available NIST Cybersecurity Practice Guide.
Hide full abstract
Keywords
data-centric security management; data classification; data labeling; data protection; zero trust architecture; zero trust security
Control Families
None selected
