org.cispec.classification
recommended: any CI subject to regulatory, safety, or security classificationorg.cispec.classification records what a Change Item is certified,
cleared, or regulated as — the category assigned to it by a regulatory
body, safety authority, or security framework.
This is distinct from org.cispec.environment, which
records what operational programme or zone the CI is assigned to, and
from org.cispec.location, which records where it is.
Using the Lockheed Martin example:
org.cispec.location=warehouse-13
org.cispec.environment=blackops
org.cispec.classification=ts/sci
org.cispec.commonname=groom.lake
These are four independent facts. The classification does not change based on where the asset is or what programme it supports. A document classified TS/SCI remains TS/SCI whether it is in a SCIF, in transit, or under review — the classification is a property of the asset, not of its context.
classification applies to any Change Item carrying a formal
classification: government and military clearance levels (CUI, TS/SCI,
NOFORN), healthcare data categories (PHI, PII, de-identified), payment
card scope (PCI CDE, in-scope, out-of-scope), aerospace safety
criticality (DO-178C DAL A through E, DO-254), industrial safety
integrity levels (IEC 61508 SIL 1–4), pharmaceutical regulatory class
(FDA Class I/II/III device, Schedule II controlled substance), and any
other formal regulatory or safety category. The term is deliberately
cross-domain: the same key covers a classified server, a PHI-containing
medical device, a safety-critical flight control system, and a
Schedule II drug shipment.
Value format
A classification identifier drawn from the applicable regulatory or safety framework. Use the framework’s own abbreviations where they exist.
org.cispec.classification=ts/sci
org.cispec.classification=phi
org.cispec.classification=pci-cde
org.cispec.classification=dal:a
org.cispec.classification=sil:2
org.cispec.classification=cui
org.cispec.classification=fda-class-ii
A CI MAY carry more than one classification label where multiple
frameworks apply simultaneously — a medical device inside a DoD
facility may be both fda-class-ii and cui.
Conformance
org.cispec.classification is RECOMMENDED for any CI subject to
formal regulatory, safety, or security classification. It is not
REQUIRED for Declared conformance because many CIs carry no formal
classification at all.
Attestation
classification is conditionally independently attestable, depending
on the framework. A US government classification (CUI, TS/SCI) is
verifiable against the originating authority’s records. An FDA device
class is verifiable against FDA’s 510(k) and PMA databases. A PCI CDE
scope designation is verifiable against the organisation’s Qualified
Security Assessor (QSA) report. A DO-178C DAL assignment is verifiable
against the certification authority’s type certificate records. The
attestation mechanism is framework-specific; this specification does
not mandate one.
Resolution and relation
Every Change Item sharing the same classification value forms an
edge in the namespace’s knowledge graph — “every TS/SCI-classified CI”
or “every PHI-containing device” are both real, expected queries for
security audit, regulatory review, and incident response.
Document identifier
OID: 1.3.6.1.4.1.42387.2.8
GUID: ff8c27e8-562e-5b8d-a887-ebb1daeeb039