Data Centric Security: Data Labelling

Overview#

A joint cyber operation involves analysts from four NATO member states working within a shared Argus environment. Intelligence data ranges from open-source advisories to SECRET UE analytical products, and the participating nations have different bilateral sharing agreements with each other. A French analyst should not see a UK EYES ONLY indicator. A Romanian analyst cleared for CONFIDENTIAL UE should not be able to access a SECRET UE threat actor profile. The DCS Data Labelling module enforces these distinctions automatically at every data access layer, binding classification labels to data objects in a way that cannot be separated from the data itself and evaluating access permissions in real time against each user's clearance and nationality attributes.

The DCS Data Labelling module implements security classification labelling, metadata binding, and attribute-based access control across all data objects in the platform. Every piece of data carries appropriate security markings and access decisions are enforced in real time based on user clearance, organisational affiliation, and data classification level.

Open Standards#

• STANAG 4774 Ed 1 (Confidentiality Metadata Label Syntax): Every data object receives a STANAG 4774 XML label encoding classification level, caveats, releasability markings, and compartments, generated and parsed using the standard's schema namespace urn:nato:stanag:4774:confidentialityLabel:1.0.
• STANAG 4778 Ed 1 (Metadata Binding Mechanism): Classification labels are cryptographically bound to their payload using an HMAC-SHA256 binding hash per STANAG 4778, so any tampering with either the label or the data object is detectable at validation time.
• NATO C-M(2002)49 (NATO Security Policy Framework): The default policy reference URI urn:nato:policy:c-m(2002)49 is embedded in every generated label, anchoring classification decisions to the Alliance-wide security policy framework.
• Attribute-Based Access Control (NIST SP 800-162): Real-time access decisions are evaluated at every data layer against a combination of clearance level, nationality, organisational role, and compartment membership, following the ABAC pattern defined in NIST SP 800-162.
• GraphQL (June 2018 Specification): All classification label queries, inference mutations, and human review operations are exposed through a strongly typed GraphQL API, enabling precise per-field permission enforcement at the resolver level.
• XML 1.0 (W3C): STANAG 4774 labels are serialised to and parsed from well-formed XML, with XML-escaped attribute and text values to prevent injection, and namespace-aware parsing for interoperability with external classification engines.
• JSON (RFC 8259): Security labels, audit events, and classification metadata are also encoded as JSON for embedding in structured records, API responses, and downstream event-driven integrations.

Last Reviewed: 2026-02-24 Last Updated: 2026-04-14

Key Features#

Security Classification Labels#

Automated label assignment based on data source and content analysis. Support for multiple classification schemes including NATO levels (UNCLASSIFIED, RESTRICTED, CONFIDENTIAL, SECRET), EU equivalents (RESTREINT UE, CONFIDENTIEL UE, SECRET UE), and national classification scheme mapping per participating nation.

Label Lifecycle Management#

Label creation with integrity verification, modification audit trails with approver chains, declassification workflows with time-based and event-based triggers, and bulk re-labelling with authorization controls. Every label change is recorded with the identity of the approving authority.

Metadata Binding#

Tamper-evident binding of security labels to data objects ensures that classification markings cannot be separated from or altered independently of the data they protect. Support for XML and JSON label encoding formats with metadata inheritance for derived data products.

Attribute-Based Access Control#

Real-time access evaluation through Policy Decision Points with enforcement at all data access layers. Dynamic policy updates without service interruption. Support for complex access rules combining classification level, nationality, organisational role, and compartment membership. Access decisions are logged for audit and compliance review.

Label Schema#

Labels include policy identifier, classification level, category markings (compartments, codewords), release markings (RELTO nations), and handling instructions following international confidentiality label standards.

Use Cases#

• Multi-National Operations: Apply consistent classification labelling across data shared between participating nations, with automated enforcement of release markings and handling restrictions. Prevent unauthorized cross-nation data exposure without manual review of every access.
• Data Sovereignty Compliance: Ensure all data objects carry appropriate national classification markings and that access is restricted to authorized personnel with appropriate clearance and nationality attributes.
• Declassification Management: Automate declassification workflows based on time triggers, events, or manual review, maintaining audit trails of all classification changes throughout the data lifecycle.
• Cross-Domain Sharing: Enable controlled sharing of classified data across security domains with attribute-based access mediation and complete audit logging that satisfies accreditation requirements.

Integration#

Supports integration with external classification engines and policy management systems. Event-driven label change notifications enable downstream systems to respond to classification updates. Works alongside multi-tenant evidence scoping to ensure that both organisational and classification boundaries are enforced consistently.