Data Classification Practices

Date Published: February 12, 2026
Comments Due: March 30, 2026
Email Comments to: [email protected]

Author(s)

William Newhouse (NIST), Murugiah Souppaya (NIST), John Kent (MITRE), Kenneth Sandlin (MITRE), Ryan Williams (MITRE), Karen Kent (Trusted Cyber Annex), Mark Evans (ActiveNav), Jimmy Katz (ActiveNav), John Dombroski (IBM), Harmeet Singh (IBM), Neville Jones (Janusnet), Helen Farrell (Janusnet), Pablo Blasco (Thales TCT), Jane Gilbert (Thales TCT), D'Nan Godfrey (Thales TCT), Matt Jochim (Thales TCT), Rich Johnson (Thales TCT), Ludmila Rinaudo (Thales TCT), Gina Scinta (Thales TCT), Patrick Greer (Trellix), Wilson Patton (Trellix), Jason White (Trellix)

Announcement

This guide, Data Classification Practices, demonstrates how organizations can discover, identify, and label unstructured data using data classification practices. Performing Data Classification Practices allows an organization to know its data and apply technologies that minimize the risk of valuable or sensitive data being lost or mismanaged. Data Classification Practices prepare an organization for the use of emerging security measures—including Zero Trust Architecture, quantum-safe cryptography, and AI model training that requires labeled data. This 1800-series NIST publication documents how the NCCoE and its collaborators created a synthetic dataset and used commercially available data classification tools to discover, identify, and label unstructured data.

Background

Organizations trying to protect sensitive data from unauthorized access or disclosure need to understand all their data—structured and unstructured—across all the places that data might live. Sensitive data, such as PII, may reside in a variety of systems, digital conversations, data lakes, and file repositories. Identifying and classifying sensitive data is crucial for minimizing data loss and preparing organizations for advanced security measures, including Zero Trust Architecture, quantum-safe cryptography, and AI model training.

The goal of this project is to demonstrate data classification practices for identifying and understanding sensitive unstructured data. This NIST Cybersecurity Practice Guide provides users with the information they need to apply data classification practices to discover, identify, and label sensitive unstructured data using commercially available data classification technology. By doing so, organizations can better understand their data and minimize the risk of losing or mismanaging valuable or sensitive data.

The public comment period ends on March 30, 2026.

Control Families

None selected