NATO STANAG 4774/4778

STANAG 4774 and 4778 are ratified standards and part of the NATO labeling approach within the NATO DCS initiative.

STANAG 4774 defines the syntax for a Confidentiality Label, used for labelling numerous data objects (profiles exist for SOAP, REST, SMTP, XMPP, Office Open XML, OPC and sidecar files). STANAG 4778 defines how a Confidentiality Label is bound to the data, and using cryptographic techniques ensures the integrity of the label and the data.

The Confidentiality Label includes the traditional classification and caveats seen in email labelling and critically now includes additional metadata; the creator of the label, the creation time and the expiry time are examples of the additional metadata criteria that are included with the label.

The use of this Confidentiality Label allows the data to have a clearly defined owner, facilitates the sharing of data and provides a level of data assurance knowing the source and integrity of the data can be quickly determined.

A lot of the commercial, defence and intelligence organisations adopt network centric – protect the perimeter, and your information inside will remain safe. Unfortunately, today this isn’t the case; the perimeter protecting your information is widening. With the boom of cloud services, an increasingly mobile workforce and the need to share information, the protection of the perimeter becomes even more difficult when we’re unsure exactly where the perimeter is, and the more opening doors we place in our perimeter, the harder it becomes to protect.

We still need to protect the perimeter using our existing network-centric security tools, but also need to protect the information we store inside our network. A data-centric approach uses classification and encryption to protect the information wherever it moves, placing less importance on where your information resides.  

Yes, with the adoption of the NATO STANAG 4774 and 4778 standards we will reach a position where the data of all nations is protected using the same metadata standards, therefore, allowing for far easier sharing of protected data. Currently, each nation (or in some cases each system) adopts a local classification format, the data becomes over classified to match the network classification and guard products become more complicated having to support a multitude of formats and rules.

This results in unclassified data becoming secret, requiring a time-consuming review process and change of classification before the information can be shared, by which time the moment may has passed. In todays environment a multi-nation coalition force should easily be able to share data!

Email has always been the starting point for data classification, and that is true for Data Centric Security. However, these new standards have profiles that apply to a range of data objects and formats - new profiles are being written all the time. By data object we mean a file type (e.g. Word document, Notepad document etc.) and by format we mean XML, JSON etc. which can then be applied to an API - performing a database search from a web browser can then take into account your location and security clearance before result are returned.

No, although NATO is driving these STANAG standards as part of DCS and the Federated Mission Networking (FMN) initiative the concepts apply equally to both military and commercial organisations. Classification was first applied to email by Military / Intelligence organisations and this concept has now been adopted by commercial organisations to ensure data is protected and shared appropriately. With a wider adoption in the commercial market we will eventually find two or more organisations that need to understand each others classification format (metadata), repeating the issues the Military have today.

There is nothing in these NATO standards that stop adoption by a commercial organisation. The automobile industry always says to look at the latest Mercedes S-Class for the new technology that will become mainstream tomorrow, commercial organisations should be looking at the military today for classification technology that will become mainstream tomorrow.

A common metadata format is the base starting point. From this we can begin to expand and add more attributes to the metadata. This includes a classification review period, a succession label to be used after the review period has passed, the identity of the person assigning the classification. The standards has been written in such a way that new attributes can easily be added without breaking previous versions. Cryptographic binding of the classification metadata to the data ensures integrity of the label and the data in more secure environments, and the future inclusion for post-release protection ensures the data can be released for a number of days, after which the data cannot be accessed.