Efforts to facilitate critical information sharing between multinational coalition partners, including traditional and non-traditional allies, have become more critical in light of recent conflicts. In addition, partner nations need to share and work together on highly classified information at different security classifications and clearances, which poses a challenge to multinational collaboration efforts.
The North Atlantic Treaty Organization (NATO), includes 31 member countries and numerous partner organizations. Its mission is to enable member nations to consult and cooperate on defense and security-related issues to solve problems, build trust and prevent conflict.
The NATO standardization agreement (STANAG) was created to build a common framework for security policies and confidentiality metadata to facilitate information sharing between member nations and industry partners. However, implementing the NATO STANAG 4774 and 4778 policies for classification can be complicated due to the disparate systems in use by member nations and nation-specific security classifications and clearance levels.
What are NATO STANAG 4774 and 4778?
A STANAG specifies the agreement of member countries to implement a standard. They provide a framework for interoperability, including common operational and administrative procedures and logistics, information systems (CIS), and formats to facilitate sharing of intelligence and other information for NATO and Allied operations.
STANAG 4774 outlines the metadata syntax required for a confidentiality label to better facilitate and protect sensitive information sharing. In addition, STANAG 4778 defines how a confidentiality label is bound to the data throughout its lifecycle and between the sharing parties. It also outlines cryptographic techniques to ensure the integrity of data and labels.
Confidentiality label requirements include:
- Information Owner to clearly define ownership throughout the data’s life cycle
- Label creator, creation date and expiry data
- Information Sharing on a ‘need-to-share’ versus ‘need-to-know’ security principle, especially for field deployed forces
- Information Standardization for interoperability, cooperation and efficient processes
- Information classification level and markings to indicate sensitivity
- Information Assurance provides a set of measures to provide a level of confidence in protection during information communication
- Data Assurance to provide data integrity
Challenges to NATO STANAG 4774 and 4778 Compliance
The standardization of information classification requirements to meet NATO standards can be a difficult task to implement. Member countries need to employ tools that can apply the required metadata and visual markings, as well as manage access to sensitive information to comply with the STANAGs.
However, metadata must include multiple layers of information, including:
- The date marking is applied.
- The identity of the countries that were part of that group at the time the document was created.
- Specific visual markings, depending on the data’s classification.
Microsoft 365 and SharePoint Server provide a common platform for multinational collation partners to share information. However, the multi-labeling and visual markings required can be challenging to achieve natively. Partner solutions can help fill this gap.
How We Can Help With Compliance
archTIS provides fine-grain attribute-based access control (ABAC) paired with dynamic labeling and visual marking capabilities for Microsoft 365 and SharePoint Server to help ensure STANAG 4774 and 4778 compliance, control access, and minimize risk. The NC Protect product augments the Microsoft collaboration and security applications in use to provide more comprehensive data-centric protection.
NC Protect enhances M365 and SharePoint Server with the following capabilities to assist with NATO STANAG 4774 and 4778 compliance:
- Unlimited Labels — NC Protect supports unlimited classification labels to augment out-of-the-box labeling limitations.
- Multi-labels — Allows multiple labels and metadata to be applied to a single document to meet labeling STANAG requirements, including expiry dates.
- Dynamic Classification — Data can be automatically classified using weighted keywords based on document sensitivity.
- Bring Your Own Classification — NC Protect can leverage other classifications, including Microsoft Purview Information Protection labels, Janusseal Documents labels, and other third-party classifications in its dynamic ABAC policies.
- Visual Markings — Applies visual markings, including headers, footers, CUI Designation Indicator labels, and custom information to identify information sensitivity clearly.
- Redaction — Redact sensitive or classified information, such as keywords or phrases, when viewed in Word, Excel, PowerPoint and PDF applications or in the NC Protect Secure Reader.
- Disable Print/Copy/Download by forcing viewing of sensitive content in the Secure Reader.
- Secure Dynamic Watermarks – Automatically applies secure watermarks that cannot be removed to identify the user handling sensitive information (e.g., name, date and time of access, IP address, etc.) to deter photographing and aid in forensics in case of data loss.
- Policy Enforcement — Inspects documents and emails for sensitive content and can block users from sending the file to an unauthorized recipient via SharePoint, Teams, or Exchange email.
- Access Control — Segment access to data using dynamic attribute-based access control (ABAC) policies (e.g., security classification, clearance level, briefing level, department, nationality) and zero trust principles at the individual file level.
- Auditing — Provides a centralized administration console for classification configuration and policy management. User activity logs can be monitored and analyzed in SIEM applications (Splunk, Microsoft Sentinel) to generate upstream actions and alerts.
NATO has created a robust interoperability framework for classification and access, which member countries and partner organizations must implement within their own systems. Employing technology to automatically apply and enforce classification, visual markings, and data-centric access ensures proper application of these controls, and only authorized parties access NATO information.
It’s important to note that classification and data protection technology should not be used just for international collaboration between member states but as a tool to enhance all of your systems with your own national and department labels and controls. Doing so will make your entire data system more resilient and controllable to holistically prevent intentional and unintentional data loss caused by internal and/or partner collaboration.
NC Protect safeguards information with data-centric policy-based controls and ensures compliance with NATO’s framework to prevent sensitive mission-critical information from being compromised.
White Paper:
Securing Multinational Coalition Collaboration with Data-Centric Security