Thanks. This NIST paper is extremely generic and provides no guidance on where to find sources of classification for various compliance purposes. The OMG's Cloud Working Group, which I co-chair, is finishing a draft of a much more substantial paper (almost 50 pages) that provides specific "domain taxonomies" for data governance, where a "domain" is a particular area of data protection. The paper specifically distinguishes four domains: privacy, export control, CUI/CDI (these are overlapping domains from the US DOD and NARA, referring to controlled unclassified information and classified defense information respectively), and intellectual property.
The paper has been assembled by a small team of experts in trade compliance and DOD classification rules (at the expense of being very focused on the U.S., even though ideally we would like to address an international audience more completely). I am actually finishing many hours of editing of the draft right now, and am in the process of including a reference to this NIST report with a very short summary of what it says. I will post the paper on the OMG server on Monday (today, for most of you) and expect it to be approved for release by OMG on or about December 7.
If people want to read it (ha! 50 pages...) and send feedback, I can send you the draft, and these are the things that may happen in the coming weeks or months:
- Minor edits/suggestions received by December 1 will be incorporated in the final draft to be voted on at OMG.
- More substantial changes can be incorporated into a 1.1 revision, to be approved at a subsequent quarterly meeting.
Thanks.
------------------------------
Claude Baudoin
cébé IT Knowledge Management
Co-Chair, OMG Cloud Working Group
https://www.omg.org/cloud------------------------------
Original Message:
Sent: Nov 16, 2023 12:28:36 AM
From: Michael Roza
Subject: NIST Internal Report NIST IR 8496 ipd Data Classification Concepts and Considerations for Improving Data Protection
Hi All,
NIST just published for comment NIST Internal Report NIST IR 8496 ipd Data Classification Concepts and Considerations for Improving Data Protection.
This publication defines basic terminology and explains fundamental concepts in data classification so there is a common language for all to use. It can also help organizations improve the quality and efficiency of their data protection approaches by becoming more aware of data classification considerations and taking them into account in business and mission use cases, such as secure data sharing, compliance reporting and monitoring, zero-trust architecture, and large language models.
The comment period for this draft is open until 11:59 p.m. EST on Tuesday, January 9, 2024. Visit our project page ( https://www.nccoe.nist.gov/data-classification#project-promo) for a copy of the draft and comment form.
------------------------------
Michael Roza CPA, CISA, CIA, CC, MBA, Exec MBA, CSA Research Fe
------------------------------