U.S. National Security Classification Banner
Detects U.S. national-security classification banner and portion markings (per Executive Order 13526 and the Intelligence Community marking system): a classification level — TOP SECRET, SECRET, CONFIDENTIAL — followed by one or more "//"-separated control or dissemination markings (SI, TK, HCS, SCI, SAP, NOFORN, ORCON, REL TO ...), or a parenthetical portion mark such as (S//NF) or (TS//SI). The bare words "secret" and "confidential" are far too common to match alone, so a match requires the "//" control structure or a parenthetical portion mark.
- Type
- regex
- Engine
- universal
- Confidence
- high
- Confidence justification
- High confidence: the "//" control structure and the parenthetical portion-mark syntax are unique to U.S. classification banners. Requiring the structure prevents the common English words "secret" and "confidential" from triggering matches.
- Jurisdictions
- us
- Regulations
- Executive Order 13526, NIST SP 800-53, FISMA
- Frameworks
- NIST CSF, ISO 27001, SOC 2
- Data categories
- government, security-classification
- Scope
- narrow
- Risk rating
- 10
- Platform compatibility
- Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Compatible, Netskope: Unsupported
Pattern
\b(?:TOP\s+SECRET|SECRET|CONFIDENTIAL)//(?:SI|TK|HCS|SCI|SAP|NOFORN|NF|ORCON|OC|REL\s+TO[\sA-Z,]+|FGI|RD|FRD)(?:/(?:SI|TK|HCS|SCI|SAP|NOFORN|NF|ORCON|OC|FGI|RD|FRD))*\bCorroborative evidence keywords
classification, classified, top secret, secret, confidential, NOFORN, ORCON, REL TO, SCI, sensitive compartmented information, declassify on, derived from, portion marking
Proximity: 300 characters
Should match
TOP SECRET//SI//NOFORN— Top Secret banner with SI compartment and NOFORN controlHeader: SECRET//REL TO USA, FVEY— Secret banner with releasability control(TS//SI//NF)— Parenthetical Top Secret portion mark
Should not match
This information is secret and must stay confidential— Bare words "secret" and "confidential" in prose, no banner structureCONFIDENTIAL business plan attached— "CONFIDENTIAL" alone with no "//" control markingCUI//SP-PRVCY//NOFORN— CUI banner, not a national-security classification level
Known false positives
- Templates, training decks, or marking guides that quote example banners (TOP SECRET//SI) for instructional purposes rather than marking real classified content. Mitigation: Require corroborative classification keywords (declassify on, derived from, portion marking) and exclude known training-material file paths.
- Fiction, news reporting, or historical documents reproducing classification banners. Mitigation: Layer with document-source metadata to distinguish operational documents from published/quoted content.