# Government Security Classifications

### Purpose

This page defines how government information classifications are handled in projects.

### Classification Tiers

HMG information is managed using three main classification tiers:

| Tier       | Meaning for projects                                                                                |
| ---------- | --------------------------------------------------------------------------------------------------- |
| OFFICIAL   | Routine government business, public services and operations. Requires baseline protective controls. |
| SECRET     | Sensitive information that needs stronger protection because compromise could cause serious damage. |
| TOP SECRET | The most sensitive information requiring the highest levels of protection.                          |

OFFICIAL information may also carry handling caveats such as OFFICIAL-SENSITIVE where additional handling discipline is required.

### Project Rules

* classify information at creation or receipt;
* apply customer marking and handling instructions;
* store information only in approved locations;
* grant access based on need-to-know, role, attributes and approval;
* prevent movement into unapproved collaboration tools, repositories or AI systems;
* apply encryption and audit logging appropriate to the classification;
* retain, archive, return or securely dispose of information according to the contract and data owner instructions.

### Handling Matrix

| Handling area     | Required decision                                                                              |
| ----------------- | ---------------------------------------------------------------------------------------------- |
| Storage           | Approved system, classification boundary, geographic restrictions and backup model.            |
| Transmission      | Approved channel, encryption requirement and recipient validation.                             |
| Collaboration     | Approved workspace, membership control and external sharing restrictions.                      |
| Printing          | Whether printing is permitted, how outputs are protected and disposal method.                  |
| AI and automation | Whether data may be processed by AI tools, where prompts/logs are stored and who approves use. |
| Disposal          | Retention period, secure deletion method and evidence required.                                |

### Quality Gate

No project should process customer or government information until classification, handling, storage, sharing, retention and disposal controls are documented and approved.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://framework.aic.io/security-vetting-and-technical-assurance-playbook/classification-data-and-privacy/government-security-classifications.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.