Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
The NCCoE has released guidelines for data classification practices based on collaboration with industry to demonstrate practical approaches for data classification using commercially available technology.
Published as NIST Special Publication (SP) 1800-39, Data Classification Practices, these guidelines show how organizations can use data classification tools to discover, identify, and label sensitive unstructured data. The public comment period for this publication is open through March 30, 2026.
Background
Protecting sensitive data, such as personal information like social security numbers and biometric data, requires organizations to understand where its sensitive data resides. Organizations’ sensitive data may be unstructured, and can be found in various systems, including data lakes, file repositories, and emails. Since data is so vast and ubiquitous, organizations need a shared understanding of what data assets are to identify and protect them.
This publication demonstrates how organizations can apply data classification practices to discover, identify, and label sensitive unstructured data using commercially available data classification technology. Implementing effective data classification practices is an initial step for organizations looking to leverage advanced security measures including Zero Trust Architecture, quantum-safe cryptography, and secure AI model training.
Comment Now!
This draft publication is open for public comment through March 30, 2026. We encourage you to visit our project page for more details and instructions to submit comments. We appreciate your feedback to inform the NCCoE’s work to accelerate the adoption of secure technologies.