Skip to content

NATO STANAGs for Data-Centric Security

Important note on STANAG availability

NATO STANAGs are generally not publicly downloadable. They are NATO UNCLASSIFIED or NATO RESTRICTED documents distributed through official NATO channels. This document provides reference information about each relevant STANAG based on publicly available summaries, academic papers, and defence industry publications.

To obtain full STANAG documents, contact your national NATO delegation or search the NATO Standardization Office (NSO) standards database at https://nso.nato.int/nso/nsdd/main/standards (search by standard number, e.g. 4778 for STANAG 4778).

Core DCS STANAGs

STANAG 4774 - Confidentiality Metadata Label Syntax

  • Allied Data Publication: ADatP-4774
  • Title: Confidentiality Metadata Label Syntax
  • Edition: Edition A, Version 1
  • Status: Promulgated
  • Classification: NATO UNCLASSIFIED

What it covers: STANAG 4774 defines a standardized syntax for expressing confidentiality labels as structured metadata. It provides an XML-based format for encoding: - Classification levels (e.g., NATO UNCLASSIFIED, NATO RESTRICTED, NATO SECRET, COSMIC TOP SECRET) - Policy identifiers (which classification system applies) - Category markings (caveats, releasability, special access programs) - Creation and expiry timestamps for labels

Structure of a 4774 label: 

<ConfidentialityLabel xmlns="urn:nato:stanag:4774:confidentialitymetadatalabel:1:0">
  <ConfidentialityInformation>
    <PolicyIdentifier>urn:nato:stanag:4774:confidentialitymetadatalabel:1:0:policy:NATO</PolicyIdentifier>
    <Classification>SECRET</Classification>
    <Category TagName="ReleasableTo" Type="PERMISSIVE">
      <CategoryValue>GBR</CategoryValue>
      <CategoryValue>USA</CategoryValue>
      <CategoryValue>POL</CategoryValue>
    </Category>
  </ConfidentialityInformation>
</ConfidentialityLabel>

Relevance to DCS: This is the foundation of DCS Level 1 (Control/Labeling). Without standardized labels, systems can't make consistent access control or protection decisions. Every DCS implementation starts with labeling data according to STANAG 4774.

Key concepts: - Labels are machine-readable metadata, not just human-readable markings - Labels can express complex policies (multiple categories, compound rules) - Labels are independent of the data format they describe - Labels support both NATO and national classification schemes

STANAG 4778 - Metadata Binding Mechanism

  • Allied Data Publication: ADatP-4778
  • Title: Metadata Binding Mechanism
  • Edition: Edition A, Version 1
  • Status: Promulgated
  • Classification: NATO UNCLASSIFIED

What it covers: STANAG 4778 defines how to cryptographically bind metadata labels (including STANAG 4774 confidentiality labels) to the data they describe. This uses digital signatures to ensure: - Labels cannot be removed from data without detection - Labels cannot be modified without detection - The binding between label and data is verifiable - The identity of the entity that created the binding is provable

Binding mechanism: - Uses XML Digital Signatures (XMLDSig) or JSON Web Signatures (JWS) - Supports both enveloping (signature wraps data) and detached (signature separate) modes - Requires PKI infrastructure for signing and verification - Supports multiple simultaneous bindings (multiple labels on same data)

Relevance to DCS: This moves DCS Level 1 from basic labeling to cryptographically assured labeling. Without binding, labels are advisory metadata that anyone can change. With binding, labels have cryptographic integrity guarantees. This is what makes labels trustworthy across organizational boundaries.

Key concepts: - Binding creates a trust chain: data -> label -> signature -> certificate -> trust anchor - Any modification to data or label invalidates the binding - Bindings support federation (each organization can add their own bindings) - Gateways at organizational boundaries can verify bindings and re-bind after transformation

STANAG 4778 Extension for ZTDF (Zero Trust Data Format)

  • Status: Standardized by NATO in March 2024
  • Basis: Built on OpenTDF specification
  • Classification: NATO UNCLASSIFIED (specification); implementations may vary

What it covers: The ZTDF extension to STANAG 4778 standardizes a data wrapper format that combines: - STANAG 4774 confidentiality labels - STANAG 4778 metadata binding - Encryption of data payload (AES-256-GCM) - Key Access Server (KAS) integration for key management - Attribute-Based Access Control (ABAC) policy embedding - Federated key management across multiple organizations

ZTDF Structure: 

my-document.tdf (ZIP archive)
  |-- 0.payload           (AES-256-GCM encrypted data)
  |-- 0.manifest.json     (metadata, key access info, ABAC policy)

Manifest includes: - encryptionInformation: Algorithm, key access objects (one per KAS) - payload: Reference to encrypted payload, MIME type, integrity hash - assertions: Cryptographic assertions (STANAG 4774 labels bound per 4778)

Relevance to DCS: ZTDF is the NATO standard implementing DCS Level 3 (Protection via Encryption). It combines all three DCS concepts -- Control (labels), Protect (encryption), and Share (federated key management) -- into a single interoperable format.

ACP-240 - Data-Centric Security Interoperability

  • Title: Allied Communications Publication 240
  • Origin: Combined Communications-Electronics Board (CCEB), Five Eyes (FVEY) alliance
  • Status: Active; adopted by NATO and the U.S. Joint Chiefs of Staff
  • Classification: Varies by section

What it covers: ACP-240 is an Allied Communications Publication developed under the CCEB within the FVEY alliance (Australia, Canada, New Zealand, United Kingdom, United States). It defines data-centric security interoperability for coalition operations, including: - How the Zero Trust Data Format (ZTDF) is used for persistent data protection - Data-centric governance controls for legacy and next-generation applications - Interoperability requirements for multi-national data sharing - Integration with the Trusted Data Format (TDF) open standard

Note on origin: ACP-240 is not a NATO STANAG. It originated from the FVEY intelligence community through the CCEB. NATO has subsequently adopted the standard, and it also supports the Combined Joint All-Domain Command and Control (CJADC2) initiative. The "ACP" prefix denotes an Allied Communications Publication, a document series managed by the CCEB.

Relevance to DCS: ACP-240 describes how ZTDF enables data-centric interoperability across coalition partners. It is the operational standard that validated data-centric security during exercises such as Operation HIGHMAST (UK carrier strike group deployment), where classified data was shared across multiple command boundaries using ZTDF.

STANAG 4406 - Military Message Handling System (MMHS)

  • Title: Military Message Handling System
  • Status: Promulgated
  • Classification: NATO UNCLASSIFIED

What it covers: Defines the military messaging standard that commonly carries DCS-labeled data between NATO systems. MMHS messages can include STANAG 4774 confidentiality labels and STANAG 4778 bindings.

Relevance to DCS: MMHS is one of the primary transport mechanisms for DCS-protected data in NATO. Understanding how DCS labels travel within MMHS messages is necessary for implementing end-to-end data protection.

  • Relevance: Tactical data links that carry security-labeled tactical data. DCS principles apply to data shared over Link 16 at the tactical edge.

STANAG 4559 - NATO Standard for Intelligence, Surveillance, and Reconnaissance (ISR) Library Interface

  • Relevance: Defines how ISR products are stored and shared, including metadata labeling requirements that align with STANAG 4774.

STANAG 5500 - NATO Message Text Formatting System (FORMETS)

  • Relevance: Structured message formats that can carry DCS labels as part of formatted military messages.

NATO Core Metadata Specification (NCMS)

  • Version: 1.0
  • Status: Published

What it covers: The NCMS defines a common set of metadata elements for describing NATO information resources. It includes: - Dublin Core-based metadata elements - NATO-specific extensions for security marking - Integration with STANAG 4774 for confidentiality labels - Support for resource discovery and access control

Relevance to DCS: NCMS provides the broader metadata framework within which DCS labels (STANAG 4774) operate. It keeps security metadata as part of a complete metadata ecosystem, not isolated from other descriptive metadata.

How these standards work together

How NATO DCS Standards Work Together

DCS maturity levels mapped to standards

DCS Level Capability Primary Standards
Level 1 (Basic) Metadata labels on data (advisory) STANAG 4774, NCMS
Level 1 (Assured) Cryptographically bound labels STANAG 4774 + 4778
Level 2 Access control based on labels STANAG 4774 + ABAC policies
Level 3 Encrypted data with policy enforcement ZTDF (4774 + 4778 + encryption + KAS)

Academic and industry references

These publications provide additional context on NATO DCS standards:

  1. Nexor — "The Data-Centric Security Interoperability Dilemma" (publicly available whitepaper)
  2. Springer — "Towards Data-Centric Security for NATO Operations" (academic paper)
  3. NATO Allied Command Transformation — DCS documentation
  4. OpenTDF Specification — open source, implements ZTDF
  5. Stormshield ZTDF Documentation
  6. NATO Communications and Information Agency (NCIA) — DCS programme publications