Back to Blog

Safeguarding Classified Information

by Irena Mroz | Feb 29, 2024

Safeguarding classified information is paramount to the security of any nation and its allies. However, modern collaboration tools and devices have made protecting it more challenging without the proper guardrails. Understanding classified information handling requirements and the technologies that can help enforce these obligations are the keys to preventing unauthorised access, dissemination and exposure of classified information.

What is Classified Information?

Classified information and classified national security information refer to sensitive data that the government has identified as requiring protection against unauthorised disclosure. It can take many forms, such as paper documents, photographs, maps, and electronic media, including databases, hard drives, CDs, and more. Information can only be categorised as classified if an official determination is made that its unauthorised release would damage national security.

Levels of Classified Information

Classified information is typically marked to indicate its classified status in documentary form. This classification is crucial in maintaining the safety and security of the sovereign nation, as it ensures that only authorised individuals have access to such sensitive information. Every country has its unique system for classifying sensitive information to ensure it is appropriately protected. Here are a few examples of classified information levels used by different governments and partner coalitions.

Australian Government Classifications

Australian Government and Defence use six classification levels based on the impact of the information if it were compromised.

TOP SECRET – The information’s confidentiality would cause exceptionally grave damage.
SECRET – The information’s confidentiality would cause serious damage.
PROTECTED – The information’s confidentiality would cause damage.

OFFICIAL: Sensitive – Official information that would cause limited damage to an individual, organisation or government.
OFFICIAL: All other information from government business operations and services and Defence business activities and information is OFFICIAL.
UNOFFICIAL: Information is not related to work at Defence.

UK Government Classifications

The UK’s Government Security Classification (GSC) follows a three-tier classification system based on the impact of the information if it were compromised.

TOP SECRET – “Compromise might cause widespread loss of life or else threaten the security or economic well-being of the country or friendly nations.”
SECRET – “Compromise might cause serious damage to military capabilities, international relations, or the investigation of serious organised crime.”
OFFICIAL – “Limited to no negative consequences, unless marked SENSITIVE, which could cause moderate damage.”

U.S. Government Classifications

The U.S. Government uses three classification levels for classified information based on the potential harm to national security that could result from its unauthorised release.

TOP SECRET (TS) – Information that would cause ‘exceptionally grave damage’ to national security.
SECRET (S) – Information that could cause serious harm to national security.
CONFIDENTIAL (C) – Information that could reasonably be expected to cause damage to national security.

The U.S. government also categorises information that falls in between classified and public information. It includes Uncontrolled Unclassified Information such as public information and Federal Contract Information (FCI), and Controlled Unclassified Information (CUI) which has two sensitivity levels, CUI Basic and CUI Specified. While unclassified, this information also has sensitivity levels and handling requirements that apply.

NATO Classifications

Allied nations also exchange classified information as part of joint military operations and intelligence sharing. The North Atlantic Treaty Organization (NATO) has its 4-tiered classification system for NATO classified information.

COSMIC TOP SECRET (CTS) – Information the unauthorised disclosure of which would cause exceptionally grave damage to NATO.
NATO SECRET (NS) – Information the unauthorised disclosure of which would cause serious damage to NATO.
NATO CONFIDENTIAL (NC) – Information the unauthorised disclosure of which would be damaging to the interests of NATO.
NATO RESTRICTED (NR) – Information the unauthorised disclosure of which would be disadvantageous to the interests of NATO.

CLASSIFIED INFORMATION PROTECTION

Preserving national security interests is crucial to maintaining sovereign security. With the rise of digital transformation, safeguarding classified information against threats from nation-states, cyberattacks, and human error has become increasingly complex. While each country has its classified information handling protocols, several universal best practices can be implemented to identify and protect classified information in its digital form. There are also country-specific requirements that must be followed for handling and storing physically classified information.

The following best practices are for your reference only. You must review the specific requirements for each country to ensure you are in compliance.

1. IDENTIFY and Tag ALL CLASSIFIED INFORMATION

The first step is to identify and categorise all the sensitive data your organisation holds and creates based on its sensitivity and the classification model you use. This process is also known as sensitive data classification. Data is constantly in flux as it is shared and edited, so you also need the ability to update the classification based on any changes made to the information that may change its sensitivity level.

2. MARK ALL CLASSIFIED INFORMATION

Marking requirements vary depending on the country. However, the required markings must be easily visible to anyone who uses or receives the information. Some countries and coalitions require ‘portion marking’ that individually marks each section of a document (e.g., individual paragraphs) as classified (C) or unclassified (U). Classified materials must also be securely transmitted according to each jurisdiction’s requirements.

3. Protect Classified Data with Data-Centric Zero Trust

Zero trust technologies are based on a simple idea, “trust no one, verify everything”. A proactive data-centric approach to protecting classified data ensures you verify anyone trying to access any systems, applications, or individual data files before granting the request. Zero trust is a highly effective methodology to ensure classified information remains secure and ‘need to know’ principles are enforced.

4. Balance “Need to Know” with “Need to Share”

The “Need to Know” principle, used in government and defence, requires a person to have a specific reason to access classified information to perform or assist with an authorised job function. However, sharing classified information with other parties, including coalition partners, military divisions and intelligence agencies, is crucial to mitigating threats and intelligence sharing. “Need to Share” principles ensure only authorised information is exchanged with authorised recipients. Together, these sharing principles help ensure that classified information is only given to those authorised to receive it, thereby improving security and reducing the risk of unauthorised disclosure.

4. Employ Attribute-based controls to tightly enforce access and security policies

Attribute-based access control (ABAC) is a data-centric security model that evaluates attributes (or characteristics of data and users), rather than roles, against policies to determine access. ABAC policies evaluate each file’s attributes, including security classification and permissions, user attributes such as nationality and security clearance, and environmental attributes such as time of day, location, and device, to determine who can access a specific file. This means access policies can be fine-grained and dynamically adjusted in real time, depending on the user’s security posture.

Attribute-based policies can also control how information can be used and shared. They can also apply file-level protection such as redaction, visual markings, encryption, force read-only access and more. Replacing role-based security with attribute-based policies enables fine-grain control over classified information access, protection and governance for robust conditional security.

6. Apply Handler Watermarks to Classified Information

While many countries require specific visual markings for classified data, security watermarks offer another level of protection. These watermarks can incorporate attributes of the information handler as a persistent watermark applied to the document when viewed, edited or printed. This helps document the chain of custody and deter photographing of classified information. If a photo is taken, the watermark is included, leaving a digital thumbprint.

7. Encrypt Classified Information Transferred Digitally

Encrypting information sent over a public network or through an unsecured space is generally required, depending on the classification level of the information. Employing technology that can dynamically apply encryption if the scenario requires it can prevent classified files from being accidentally sent without being properly secured.

8. Log Classified Data Access and Actions

You must also monitor and log access to classified data to ensure there are no vulnerabilities in the process. This includes capturing data access, user interactions, changes made to files, policy changes and other administrative tasks. A comprehensive audit trail ensures transparency, assists with auditing requirements and aids in investigations of data leaks or information mishandling.

Implementing Trusted Classified Information Security

The unauthorised disclosure of classified information can be highly damaging to a nation’s security. Safeguards are required to control access to and sharing classified information in digital and hard copy formats. Employing policy-enforced attribute-based access control and data protection enables classified information digital collaboration without compromising security.

archTIS offers a suite of products that deliver compartmentalised access controls and advanced information protection, enabling only authorised users to access classified information while also regulating who they share and collaborate on it with. Its policy-driven approach leverages user and data attributes to enforce the Need to Know and Need to Share principles. In addition to compartmentalised access control and sharing, archTIS products also provide file-level protection by encrypting information dynamically, enforcing read-only access, applying handler-based watermarks, redacting words and phrases, and preventing copy/paste/print. With archTIS’ proven military-grade solutions for trusted classified file sharing and ABAC-enabled Microsoft collaboration control, you can trust that your classified data is always safeguarded.

Irena Mroz

Chief Marketing Officer, archTIS

Irena Mroz is responsible for defining the company’s product marketing, branding, demand generation and public relations programs. A technical cybersecurity marketer, Mroz has built her successful career by empowering start-ups and public software companies to exceed growth objectives through successful demand generation, product positioning, high profile events and product evangelism. Mroz holds a Bachelor of Science in Mass Communications from Boston University’s College of Communication.

← ITAR Compliance Checklist archTIS Inspires Inclusion to Support International Women’s Day 2024 →