STANAG 4774 / 4778 Classification Labels

Status: Implemented

See the Status & Roadmap for the system-wide view.

What it is

STANAG 4774 and 4778 are the paired NATO standards for confidentiality metadata. STANAG 4774 defines the Confidentiality Label — a structured, machine-readable expression of a piece of data's classification (e.g. policy identifier, classification level, and category/caveat markings). STANAG 4778 defines the Metadata Binding — how that label is cryptographically and structurally bound to the data it describes so the marking cannot be separated or altered without detection.

Together they let systems make automated release and access decisions: a recipient (or a gateway between domains) can read the label, compare it against a security policy, and enforce a classification ceiling — refusing to pass or display data that exceeds the permitted level.

Bedrock's integration

Classification-label handling and ceiling enforcement are implemented server-side in server/src/classification_gate.rs. Data is checked against the configured ceiling before it is shared or released, so over-classified data is withheld rather than leaked.

For how this fits the wider access-control model, see Security model — Classification.

See also

• Security model — Classification
• Interop standards index
• Status & Roadmap

Verified against server@ab688f0.