Nevada Implements New Data Policy

In response to a late summer cyberattack that disrupted much of Nevada’s state infrastructure, officials have implemented a new statewide policy governing how government data is classified and protected.

The Statewide Policy for Data Classification took effect this month and applies to all executive branch agencies. The framework establishes uniform standards for identifying, categorizing, and safeguarding information based on risk and regulatory requirements.

State officials say the policy replaces agency-specific or informal practices with a consistent, enterprise-wide approach designed to reduce cybersecurity risk while improving responsible data sharing across government. The Governor’s Technology Office stated the framework creates common standards for protecting sensitive information while allowing agencies to continue delivering services efficiently.

At the core of the policy is a four-tier system for classifying information. Data designated as “Public” includes information approved for unrestricted disclosure, such as public meeting agendas and published job postings.

“Sensitive” information covers internal, non-confidential materials intended for operational use, including draft documents and internal communications. “Confidential” information includes legally protected data where unauthorized disclosure could cause substantial harm, such as Social Security numbers, medical records, and financial information.

The highest tier, “Restricted,” applies to information subject to federal security requirements or critical to state operations, including criminal history records, cybersecurity defense plans, and encryption keys.

Under the new rules, if there is uncertainty about how information should be classified, it must be treated at a higher level of protection. The policy broadly defines information assets to include data in any format, ranging from paper records and emails to system configurations, images, and intellectual property.

It also clarifies roles and accountability within agencies. Agency Data Stewards are designated as the primary decision-makers responsible for classifying information, while data owners retain authority and responsibility for documenting those decisions.

State officials say the classification framework lays the groundwork for additional cybersecurity safeguards expected in the coming months, including multi-factor authentication, enhanced system logging, and encryption standards aligned with federal requirements.