← Concepts
Security ArchitectureSY0-701 · Task 3.3

Data classification — SY0-701

Master data classification for CompTIA Security+ SY0-701: learn what it is, why sensitivity drives it, and the exam traps around labeling vs. categorization.

WHAT IT IS

Data classification is the practice of assigning a sensitivity designation to information so that the appropriate controls can be applied to its generation, collection, processing, dissemination, and disposal. NIST defines sensitivity as "a measure of the importance assigned to information by its owner, for the purpose of denoting its need for protection" (CNSSI 4009-2015, cited by NIST SP 800-60 Vol. 1 Rev. 1). The information owner — defined by NIST as the "official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal" (FIPS 200, sourced from CNSSI 4009) — is the authoritative decision-maker for a classification label.

Mental model

Think of classification as answering a single question for every piece of data: what is the worst that could happen if this information lost confidentiality, integrity, or availability? NIST defines a security category as "the characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on agency operations, agency assets, individuals, other organizations, and the Nation" (NIST SP 800-37 Rev. 2, from OMB Circular A-130, 2016). That impact assessment is what drives the label — not the data type alone.

NIST further defines an impact value as "the assessed worst-case potential impact that could result from a compromise of the confidentiality, integrity, or availability of information expressed as a value of low, moderate or high" (NIST SP 800-37 Rev. 2, citing FIPS 199). So a classification label is a shorthand for an impact value that has already been determined through formal analysis.

When to use it

Candidates often confuse data classification with the adjacent concept of security categorization. The table below separates them.

Data ClassificationSecurity Categorization
Primary questionHow sensitive is this data?What security category does this information or system fall into?
Who decidesThe information ownerAgency officials applying a defined methodology
OutputA sensitivity label applied to the dataA security category used to select controls
NIST anchorSensitivity: importance assigned by owner to denote need for protectionCategorization: process of determining the security category for information or an information system (NIST SP 800-37 Rev. 2)
ScopeThe data itselfThe information or information system, including CIA impact on operations, assets, individuals, and the Nation

Confidentiality is the CIA triad property most directly at stake in classification decisions. NIST defines confidentiality as "preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information" (FIPS 200, derived from 44 U.S.C., Sec. 3542).

COMMON MISCONCEPTION

The classification label alone does not determine the controls — the impact assessment does.

A common trap is reasoning from the label backward: assuming that because data is labeled "sensitive" or "confidential" it automatically receives a specific prescribed set of controls. NIST's framework reverses this flow: the impact value is determined first ("low, moderate, or high" per NIST SP 800-37 Rev. 2, citing FIPS 199), and the classification label is a human-readable summary of that value. Controls are then selected to address the assessed impact, not the label text.

A related trap applies to government contexts. NIST defines classified information as "information that has been determined pursuant to Executive Order 13292 or any predecessor order to require protection against unauthorized disclosure and is marked to indicate its classified status when in documentary form." A separate but easily confused category is Controlled Unclassified Information (CUI): "information that law, regulation, or governmentwide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526" (NIST glossary, citing Executive Order 13556 and 32 CFR Part 2002). CUI is not classified information — it is unclassified information that still requires controls. Conflating the two is a recognized exam-adjacent error.

A third misconception: the information owner and the information system owner are different roles. The information owner holds authority over specified information and sets controls for it. The information system owner is responsible for the procurement, development, integration, modification, or operation of a system (FIPS 200, from CNSSI 4009). Both roles appear in exam scenarios; confusing them leads to misidentifying who is accountable for classification decisions.

How it shows up on the exam

Questions in this area test application of definitions and role accountability, not recall of label names. Cognitive targets include:

  • Distinguishing who assigns a classification (the information owner) from who operates the system holding the data (the information system owner).
  • Recognizing that sensitivity is defined relative to the owner's assessment of protection need, not an external universal scale.
  • Identifying whether a scenario describes classified information (protected per Executive Order, marked in documentary form) or CUI (unclassified but requiring safeguarding controls by law or policy).
  • Applying the confidentiality definition — "preserving authorized restrictions on information access and disclosure" — to determine which classification scenario implicates confidentiality harm.

Signal phrases to watch: "who is responsible for classifying", "what determines the appropriate controls", "controlled unclassified vs. classified", "PII requires what level of protection". NIST defines PII as "information that can be used to distinguish or trace an individual's identity" either alone or when combined with other linked or linkable information (FIPS 201-3, adapted from OMB M-17-12). Exam questions may present PII scenarios and ask candidates to reason about the classification basis — the answer turns on the potential impact of disclosure, not the mere presence of a name or identifier.

Related concepts

  • Data States — classification decisions must account for whether data is at rest, in transit, or in use, since the applicable controls differ by state.
  • Data Sovereignty — jurisdictional law can constrain or mandate how data is classified and where classified data may reside.
  • Data Protection Methods — the controls selected after classification is complete; classification drives which methods apply.

Sources

Every claim on this page traces to the public exam blueprint and official documentation:

CutScore is an independent study tool and is not affiliated with, authorized by, endorsed by, or sponsored by Amazon Web Services. “AWS” and “AWS Certified AI Practitioner” are trademarks of Amazon.com, Inc. or its affiliates. All content is independently authored from the public exam blueprint and official documentation — no real exam content is used.

The exam-readiness instrument. Know if you’re ready before you book.

Product
PricingConceptsBlog
Legal
PrivacyTermsRefund policy
Company
Contact
© 2026 The Plain Works Co.AWS and AWS Certified AI Practitioner are trademarks of Amazon.com, Inc. or its affiliates. CutScore is independent and not affiliated with, endorsed by, or sponsored by Amazon Web Services.