Domain 2 of 8 · Chapter 1 of 6

Data Classification

Why classify: proportional protection

No organization can protect every record to the same maximum standard; budgets, performance, and usability forbid it. Classification is the move that makes the trade-off rational: rank information once by the harm its compromise would cause, attach a label, and let that label drive every downstream control from access to destruction. The CIA triad supplies the axes a label is actually grading, and the sharp distinction to hold onto is that they are two different axes, because a record can be high on one and low on the other.

Classification is the act of ranking information by the harm its compromise would cause, so protection can be made proportional to that harm. No organization can protect every record to the same maximum standard: budgets, performance, and usability forbid it. So you grade information once, attach a label, and let that label drive every downstream control: access decisions, storage and transmission requirements, marking, retention, and destruction. The label converts an open-ended question ("how hard should we protect this?") into a lookup against policy.

The harm a label captures runs along two distinct axes, and a careful reader must keep them apart because a record can be high on one and low on the other. The diagram above groups each axis with the CIA objective it grades:

  • Sensitivity: how damaging unauthorized disclosure or modification would be. This is a confidentiality and integrity concern. Trade secrets, personal data, and pre-release financials are highly sensitive.
  • Criticality: how damaging it would be if the information or system were unavailable when needed. This is an availability concern. A public product catalog is not sensitive, but if it drives live order processing it can be highly critical.

NIST FIPS 199[1] formalizes this by rating the confidentiality, integrity, and availability impact of an information type independently, each as LOW, MODERATE, or HIGH: three ratings, not one combined score. That independence is the point: it lets a record be, say, HIGH for confidentiality but LOW for availability. When an exam scenario asks you to classify, decide which objective the loss event threatens before reaching for a level.

The same impact-graded logic extends from data to the things that hold it. Asset classification tags hardware, systems, software, and media by the sensitivity of the data they process or store, or the criticality of the function they support, so a laptop that handles HIGH-confidentiality data inherits that sensitivity and earns the corresponding controls. Classification of information and classification of assets are the same mental model applied to two object types; the asset usually inherits its grade from the data on it.

The harm a label gradesSensitivitydisclosure or modification harmConfidentialityIntegrityCriticalityunavailability harmAvailabilityFIPS 199 rates confidentiality, integrity, and availability impact independently
The two axes a label grades: sensitivity (confidentiality and integrity) versus criticality (availability), rated independently per FIPS 199.

Who classifies, and against which scheme

This section covers the governance of classification: who makes the call and what menu of labels they choose from. It assumes the proportionality idea from the previous section.

The data owner classifies; accountability is not delegable

Classification is a business decision made by the information (data) owner (a senior person in the business unit that creates or is responsible for the data), not by IT, security operations, or the custodian who stores and protects it. The owner determines the classification level and the protection requirements; the custodian implements those requirements (applies the encryption, runs the backups, enforces the access rules). The line between them is the most-tested distinction in this domain.

The reason the line matters is a governance rule that holds across the whole CISSP body of knowledge: you can delegate the responsibility to perform work, but you cannot delegate accountability. Even when handling is outsourced to a cloud provider or a managed-service custodian, the owner remains accountable for the label and for whether the data is adequately protected. So in a scenario, the actor who "determines the classification," "approves a change in classification," or "authorizes declassification" is always the owner, never the custodian, and never the security team acting on its own.

Government and commercial schemes

The labels differ by sector, but every scheme grades by the magnitude of harm from compromise, so learn each tier by its impact definition rather than its name. The diagram above stacks both schemes' tiers from most to least sensitive.

The U.S. government national-security scheme has four levels. The three classified tiers are defined by the damage to national security that unauthorized disclosure could reasonably be expected to cause, per Executive Order 13526 Sec. 1.2[2]:

Tier Damage standard on unauthorized disclosure
Top Secret exceptionally grave damage to national security
Secret serious damage to national security
Confidential damage to national security
Unclassified not a classified level; no damage standard applies

Note the predictable trap: "Confidential" is the lowest of the three government classified tiers, even though in everyday commercial usage "confidential" sounds like the most sensitive thing on the table. The word means different things in the two schemes.

A common commercial scheme uses four tiers graded by business impact: Confidential (most sensitive; serious harm to the organization if disclosed), Private (internal personnel or financial data, for use within the organization), Sensitive (harm if disclosed or altered; above public but below private), and Public (disclosure causes no harm). Other organizations use Restricted / Internal / Public, or a numeric scale; the number of levels is a policy choice. What is constant is the structure: each level is a band of expected harm, and the policy must define handling rules for each band so the label is actionable. A label with no associated handling requirement protects nothing.

Classification schemes (most to least sensitive)U.S. governmentTop SecretSecretConfidentialUnclassifiedCommercialConfidentialPrivateSensitivePublicConfidential is the lowest classified government tier, but the most sensitive commercial tier
Two schemes, tiers stacked most to least sensitive: the U.S. government four levels versus a common commercial four. Note where Confidential sits in each.

The federal categorization method: FIPS 199 and SP 800-60

This section is the mechanics of how a federal owner produces a classification, using the two NIST documents the exam expects you to attribute correctly. It assumes the owner-classifies rule and the impact-level idea from the previous sections.

In the federal model, classification is called security categorization and follows a documented method rather than a judgment call. The owner identifies the information type, looks up its provisional impact, confirms it, and rolls up to a system-level rating. The diagram above walks the four moves.

Step 1: identify the information type. NIST SP 800-60 Volume 1[3] is the Guide for Mapping Types of Information and Information Systems to Security Categories; it catalogs information types (for example privacy, financial, investigative) and is what an owner consults to find the type their data belongs to.

Step 2: assign a provisional impact to each objective. SP 800-60 provides a recommended provisional confidentiality, integrity, and availability impact for each information type, which the owner then adjusts to the organization's actual context. The meaning of each level is fixed by FIPS 199:

  • LOW: loss could be expected to have a limited adverse effect on operations, assets, or individuals.
  • MODERATE: loss could be expected to have a serious adverse effect.
  • HIGH: loss could be expected to have a severe or catastrophic adverse effect (e.g., loss of one or more primary functions, major financial loss, or loss of life).

Step 3: express the security category (SC). FIPS 199[1] records the result in a fixed notation:

SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}

For an information type, an objective may be NOT APPLICABLE (only confidentiality may be NA, for example, public information has no confidentiality requirement). Example from FIPS 199: investigative information categorizes as {(confidentiality, HIGH), (integrity, MODERATE), (availability, MODERATE)}.

Step 4: roll up to the information system (the high-water mark). A system usually holds several information types. Its category takes, for each objective independently, the highest impact among all resident types: the high-water mark defined by FIPS 199. So a system holding one MODERATE-confidentiality type and one LOW-confidentiality type is categorized HIGH-water at MODERATE for confidentiality. At the system level no objective may be NOT APPLICABLE and the minimum is LOW (the low-water mark for a system), because the system itself must always protect its own processing functions. The system's resulting categorization is the input that drives the control baseline selected afterward (in NIST's RMF, the next step is Select controls from SP 800-53). Categorize first: almost every later safeguard decision depends on this label.

1. Identifyinformation type(SP 800-60)2. Rate C, I, ALOW / MODERATE / HIGH(FIPS 199)3. Express SC{(C,..),(I,..),(A,..)}per info type4. High-water markhighest C, I, A acrossall types = system SCSystem SC drives the control baseline selected next (NIST RMF Select step)
Federal security categorization: identify the type (SP 800-60), rate C/I/A impact (FIPS 199), express the SC, then take the high-water mark across all types for the system.

Exam-pattern recognition

This section names the question shapes this subtopic produces and the answer logic, so you can recognize them under time pressure. It assumes the owner/custodian split and the impact model from the earlier sections.

Pattern 1: "Who classifies?" / "What is the FIRST step in protecting new data?" The stem describes a new dataset, a reclassification request, or a dispute about a label. The right answer is the data owner (or "classify the data" / "determine its sensitivity"). Distractors offer the custodian, the security administrator, or a control like encryption. They are wrong because the owner holds the non-delegable accountability for the label, and because you cannot rationally select a control before you know the classification: categorization precedes protection.

Pattern 2: "Confidential" means different things. A government-context stem lists Top Secret, Secret, Confidential, Unclassified and asks which is least/most sensitive among the classified levels. The trap is that Confidential is the lowest classified tier ("damage"), below Secret ("serious damage") and Top Secret ("exceptionally grave damage"). In a commercial scheme, by contrast, "Confidential" is often the most sensitive tier. Read which scheme the stem is in before ranking.

Pattern 3: sensitivity vs. criticality. The stem describes data that is, say, public but mission-essential, and asks for its protection priority or which objective dominates. Map disclosure/modification harm to sensitivity (confidentiality/integrity) and unavailability harm to criticality (availability). The trap is treating "not sensitive" as "not important": a low-sensitivity, high-criticality asset still needs strong availability controls.

Pattern 4: high-water mark. The stem gives a system holding two or more information types with different C/I/A impact ratings and asks for the system's categorization. Take the highest rating in each objective independently across all types (FIPS 199 high-water mark): do not average, and do not pick a single "overall" type. The trap answers either average the levels or apply one type's whole SC to the system.

Pattern 5: attribute the NIST document. The stem asks which publication defines the impact levels (answer: FIPS 199) versus which one maps information types to provisional categories (answer: SP 800-60). The trap swaps them, or offers SP 800-53, which is the control catalog selected after categorization, not the categorization method itself.

Classification tiers: U.S. government national-security scheme vs a common commercial scheme

Tier (high → low)U.S. government (damage to national security on disclosure)Common commercial scheme (business impact)
Tier 1 (most sensitive)Top Secret: exceptionally grave damageConfidential: most sensitive; serious harm to the business if disclosed
Tier 2Secret: serious damagePrivate: internal personnel/financial data; for use within the organization
Tier 3Confidential: damageSensitive: harm if disclosed/altered; more than public, less than private
Tier 4 (least sensitive)Unclassified: no national-security damage definition appliesPublic: disclosure causes no harm
What defines the tierMagnitude of expected damage to national securityMagnitude of business/financial/reputational impact

Sharp facts the exam loves — give these one last read before exam day.

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Classify data so protection is proportional to the harm its compromise would cause

Data classification ranks each information type by the impact of losing its confidentiality, integrity, or availability, then lets that label drive every downstream control: access, storage, transmission, marking, retention, and destruction. The purpose is proportionality: you cannot protect everything to the maximum, so grading once turns an open-ended "how hard should we protect this?" into a policy lookup. A classification with no defined handling rules per level protects nothing: the label must map to required controls to be useful.

Sensitivity and criticality are separate axes: judge the one the loss event threatens

Sensitivity measures the harm from unauthorized disclosure or modification (a confidentiality/integrity concern); criticality measures the harm from the data or system being unavailable when needed (an availability concern). They do not move together: a public price list is low-sensitivity but can be high-criticality if it drives live transactions, while archived personal notes can be high-sensitivity but low-criticality. Decide which objective the scenario's loss threatens before assigning a level.

Trap Treating low-sensitivity data as unimportant. A low-sensitivity but high-criticality asset still needs strong availability controls.

You can delegate the work of protecting data, but never accountability for it

Responsibility to perform a task can be delegated or outsourced; accountability cannot. The data owner stays accountable for the classification and for whether the data is adequately protected even after handling is handed to a custodian or a cloud provider. This is why outsourcing storage does not transfer the owner's duty for the label.

Trap Assuming that outsourcing storage to a custodian or cloud provider transfers accountability along with the work, when only the responsibility to perform moves.

1 question tests this
Classifying a new dataset is the first step before selecting any control

When new data or a new system is onboarded, have its owner classify it before granting access or choosing safeguards, because the label is the input every protection decision depends on. Selecting a control before you know the classification is choosing a solution before you know the requirement.

Trap Reaching for encryption or access controls as the FIRST step on new data. Categorization must precede control selection, since the label sizes the control.

2 questions test this
U.S. government classified tiers are defined by expected damage to national security

The national-security scheme grades the three classified levels by the damage unauthorized disclosure could reasonably be expected to cause: Top Secret = exceptionally grave damage, Secret = serious damage, Confidential = damage (per Executive Order 13526). Unclassified is not a classified level and carries no damage standard. Learn each tier by its damage definition rather than the word alone.

Trap Counting Unclassified as a fourth classified tier, when it carries no damage standard and is not a classified level at all.

In the government scheme, Confidential is the LOWEST classified tier

Among the three classified government levels, Confidential ranks below Secret and Top Secret. Its disclosure standard is plain "damage," the least severe of the three. This collides with everyday commercial usage, where "Confidential" often labels the most sensitive data, so the same word means opposite ends of the scale depending on the scheme.

Trap Ranking government Confidential as the most sensitive classified level. It is the least sensitive of the three classified tiers, below Secret and Top Secret.

A common commercial scheme runs Confidential, Private, Sensitive, Public

Commercial organizations grade by business impact rather than national-security damage. A widely taught four-tier model is Confidential (most sensitive; serious harm if disclosed), Private (internal personnel/financial data), Sensitive (harm if disclosed or altered; above public, below private), and Public (no harm on disclosure). The number of levels is a policy choice (others use Restricted/Internal/Public) but each level must be a defined band of expected harm.

Trap Treating one commercial label set as the single mandated standard, when the number and names of levels are a policy choice as long as each is a defined harm band.

FIPS 199 rates confidentiality, integrity, and availability impact independently

NIST FIPS 199 assigns an information type three separate impact ratings, one each for confidentiality, integrity, and availability, every one valued LOW, MODERATE, or HIGH. The ratings are independent, so a record can be HIGH for confidentiality yet LOW for availability; there is no single combined score for an information type.

Trap Collapsing C, I, and A into one overall impact score. FIPS 199 keeps the three objectives separate, each with its own level.

FIPS 199 impact levels map to limited, serious, and severe-or-catastrophic harm

FIPS 199 defines LOW as a loss expected to have a limited adverse effect, MODERATE as a serious adverse effect, and HIGH as a severe or catastrophic adverse effect on organizational operations, assets, or individuals. HIGH includes loss of a primary mission function, major financial loss, or loss of life. The verbal anchors (limited / serious / severe-or-catastrophic) are the testable distinction.

FIPS 199 records a category as SC = {(C, impact), (I, impact), (A, impact)}

The FIPS 199 security category (SC) notation lists the impact for each objective in a fixed triple, e.g. investigative information categorizes as {(confidentiality, HIGH), (integrity, MODERATE), (availability, MODERATE)}. For an information type, an objective may be NOT APPLICABLE, but NOT APPLICABLE is allowed only for confidentiality, never for integrity or availability.

Trap Assuming NOT APPLICABLE may be assigned to integrity or availability, when FIPS 199 permits it only for the confidentiality objective.

A system's category is the high-water mark across all its information types

When a system holds several information types, FIPS 199 sets its category by taking the highest impact in each objective independently across all resident types: the high-water mark. You do not average the levels and you do not apply a single type's whole triple to the system; each objective is maxed separately. This system category becomes the input that drives the control baseline selected next.

Trap Averaging the information types' impact levels, or copying one type's SC to the system. The system takes the maximum per objective, not a mean or a single type.

3 questions test this
A system's minimum category is LOW. NOT APPLICABLE cannot apply at the system level

Unlike an individual information type, an information system can never carry NOT APPLICABLE for any objective; its floor is LOW (the low-water mark). FIPS 199 reasons that the system must always protect its own processing functions and system information regardless of the data it happens to hold, so confidentiality, integrity, and availability each have at least a LOW minimum impact.

Trap Carrying NOT APPLICABLE up to the system level the way it is allowed for an information type, when a system's floor is always at least LOW for every objective.

SP 800-60 maps information types to their provisional impact levels

NIST SP 800-60 Volume 1 is the Guide for Mapping Types of Information and Information Systems to Security Categories; it catalogs information types (privacy, financial, investigative, and so on) and recommends a provisional confidentiality, integrity, and availability impact for each, which the owner then adjusts to context. It is the lookup that feeds the categorization, distinct from FIPS 199 which defines what the levels mean.

Trap Crediting SP 800-60 with defining what LOW, MODERATE, and HIGH mean, when it only maps types to provisional levels and FIPS 199 defines the levels themselves.

Attribute the standards: FIPS 199 defines levels, SP 800-60 maps types, SP 800-53 supplies controls

Keep the three roles separate: FIPS 199 defines the impact levels and the categorization rules, SP 800-60 maps an information type to its provisional impact, and SP 800-53 is the control catalog selected after categorization to build the baseline. Categorization (FIPS 199 / SP 800-60) precedes control selection (SP 800-53). Naming the source document correctly is a recurring exam discriminator.

Trap Citing SP 800-53 as the categorization method. It is the control catalog applied after the category is set, not the tool that determines impact levels.

Asset classification inherits the sensitivity of the data the asset holds or the function it supports

Classification extends from information to the things that hold it: hardware, systems, software, and media are graded by the sensitivity of the data they process or store, or the criticality of the function they support. A laptop handling HIGH-confidentiality data inherits that grade and earns the matching controls. The asset usually takes its level from the data on it, so reclassifying or wiping the data can change the asset's required handling.

Trap Grading hardware on its own cost or specs rather than inheriting the sensitivity of the data it holds or the criticality of the function it supports.

Higher classification justifies stronger and costlier controls, not blanket maximum protection

The label sets the bar: more sensitive or more critical classifications warrant stronger access, encryption, monitoring, and destruction controls, while lower tiers get lighter handling so resources are not wasted. The economic argument for classifying at all is that uniform maximum protection is unaffordable and uniform minimum protection is unsafe: graded labels let spend track risk.

Trap Applying the strongest controls uniformly across every tier to be safe, when the economic point of classifying is to let lower tiers receive lighter, cheaper handling.

A workable classification scheme has a few self-descriptive levels and is reviewed periodically

Most schemes run three to five levels: enough to differentiate sensitivity yet few enough that users apply them consistently. Use self-descriptive, ordered names (e.g. Confidential, Highly Confidential) so the relative sensitivity is obvious, and revisit classifications periodically or when significant business/system change occurs.

3 questions test this

Also tested in

References

  1. FIPS 199: Standards for Security Categorization of Federal Information and Information Systems Whitepaper
  2. Executive Order 13526: Classified National Security Information (Sec. 1.2 Classification Levels)
  3. NIST SP 800-60 Vol. 1 Rev. 1: Guide for Mapping Types of Information and Information Systems to Security Categories Whitepaper