Classified information systems

Classified information is information that a government or agency deems sensitive enough to national security that access must be controlled and restricted. Every government has differing levels of classification that are specific to their own context. For example, the U.S. Government uses three levels of classification to designate how sensitive certain information is: confidential, secret, and top secret. The lowest level, confidential, designates information that, if released, could damage U.S. national security. The other designations refer to information, the disclosure of which, could cause serious (secret) or exceptionally grave (top secret) damage to national security. Some data and information is considered unclassified and low risk, but this scenario is for higher risk and classified information systems.

The decisions concerning the level of data classification are often based on a risk approach and are often dependent on regulatory and compliance requirements. These requirements are often reflective of the data types. for example, personally identifiable information (PII) or personal health information (PHI), or information related to ITAR, HIPAA, IRAP, GDPR, or other compliance and regulatory requirements.

Often, the standards do not prescribe how agencies should meet the requirements, as agencies vary in size and complexity. Every agency has a unique information management environment with varying culture, risk tolerance, legacy systems, and resources. Agencies should implement the principles and characteristics to meet their specific circumstances.

Characteristics and principles of classified information systems architectures include:

Business information is systematically and holistically governed throughout its lifecycle.
Only necessary business information is created.
Business information is adequately described.
Business information is suitably stored and preserved.
It is known how long business information should be kept.
Business information is accountably destroyed or transferred.
Business information is saved in systems where it can be appropriately managed and monitored.
Business information is available for use and reuse.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Artificial intelligence in the public sector

Citizen engagement reference architecture