Information Security Marking Metadata

Information Security Marking Metadata

Chief Information Officer

IC Technical Specifications

Information Security Marking Metadata


This XML Data Encoding Specification for Information Security Markings (ISM.XML) defines detailed implementation guidance for using XML to encode Information Security Markings (ISM.XML) data. This Data Encoding Specification (DES) defines the XML elements and attributes, associated structures and relationships, mandatory and cardinality requirements, and permissible values for representing security markings and Need-to-Know (NTK) data concepts using XML, and for wrapping security markings and NTK attributes together in an Access Rights and Handling (ARH) XML container.


This standard supports Executive Order (EO) 13526, Classified National Security Information which “prescribes a uniform system for classifying, safeguarding, and declassifying national security information”, across national security disciplines, networks, services, and data.


This standard is a critical technical bridge between:

  • Security marking requirements defined by the National Archives and Records Administration (NARA)/Information Security Oversight Office (ISOO),
  • IC security markings register maintained by the Office of the Director of National Intelligence (ODNI)/Controlled Access Program Coordination Office (CAPCO), and
  • Information technology solutions that implement structured security marking metadata.

Compliance with this specification is measured against all aspects of the technical and documentary artifacts contained within the specification release package.


This specification changed names and numeric designators multiple times since its inception in the late 1990's.


The IC Chief Information Officer maintains this specification via the Data Coordination Activity (DCA) and Common Metadata Standards Tiger Team (CMSTT).


Technical Specification Downloads


Latest Approved Public Release:


Mission Requirements


Information sharing within the national intelligence enterprise will increasingly rely on information assurance metadata (including information security markings) to allow interagency access control, automated exchanges, and appropriate protection of shared intelligence when necessary.


A structured, verifiable representation of security marking metadata bound to the intelligence data is required in order for the enterprise to become inherently “smarter” about the information flowing in and around it. Such a representation, when implemented with other data formats, improved user interfaces, and data processing utilities, can provide part of a larger, robust information assurance infrastructure capable of automating some of the management and exchange decisions today being performed by human beings.


Throughout the intelligence life cycle, the enterprise needs:

  • User interfaces and processing logic that helps users and services to reliably assign and manipulate information security markings at the portion and document level.
  • Automated rendering of electronic portion markings, security banners, classification authority blocks, and other security control markings in accordance with the IC's classification and control marking system and associated executive orders, statutes, and DNI policies.
  • Marking validation to ensure controlled values and business rules are followed.
  • Cross-domain discovery, access, and dissemination capabilities based on access policy logic that leverages electronic security markings along with other key metadata about users, services, clearances, and access environments.