How should classified records be handled when an agency moves workloads to a cloud or SaaS environment?
Moving to a cloud or software-as-a-service (SaaS) environment does not change an agency’s obligations for classified national security information. The classification of a record follows the information itself, not the system it lives in. Before any migration, the agency must confirm that the destination environment is authorized to store and process information at the appropriate classification level, and that the move is consistent with applicable security and records requirements.
Confirm the environment is authorized
Classified information may only reside in systems accredited for that level. A commercial cloud or SaaS offering that is approved for unclassified or controlled unclassified information (CUI) is not automatically suitable for classified material. Agencies should verify accreditation, physical and logical security controls, personnel clearances, and any cross-domain or encryption requirements before workloads move.
Preserve classification, marking, and provenance
Migration tooling must carry forward each record’s classification markings, dissemination controls, and declassification instructions. If metadata is stripped or flattened during transfer, the agency loses the basis for downstream review. Maintain a verifiable chain of custody so the system of record remains trustworthy and auditable.
Don’t lose the declassification clock
Many classified records carry declassification dates or events, and some become subject to automatic declassification after a set period. Cloud migration should not reset, obscure, or interrupt that schedule. Records must remain retrievable for declassification review, Freedom of Information Act and Privacy Act requests, and eventual transfer of permanent records to the National Archives.
Manage the full lifecycle
- Apply the correct retention schedule; migration is not authorization to dispose.
- Ensure secure, verifiable sanitization of source systems after a validated transfer.
- Address the shared-responsibility model so it is clear whether the agency or the provider controls each safeguard.
- Document the migration and retain audit logs as records in their own right.
Bottom line
Treat a cloud or SaaS move as a controlled records and security action, not just an IT project. The Information Security Oversight Office oversees the government-wide classification and declassification program, and NARA records-management policy frames the lifecycle obligations that persist regardless of platform.
For related guidance, see the declassification topic hub.
Sources & further reading
Authoritative government and non-profit references.
- Information Security Oversight Office (ISOO) — National Archives (NARA)
- Records management policy and guidance — National Archives (NARA)
How to cite this page
APA
RM University Editorial. (2026). How should classified records be handled when an agency moves workloads to a cloud or SaaS environment?. Records Management University. https://www.recordsmgmt.org/questions/handling-classified-records-in-cloud-and-saas-environments/
MLA
RM University Editorial. "How should classified records be handled when an agency moves workloads to a cloud or SaaS environment?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/handling-classified-records-in-cloud-and-saas-environments/.
Related questions
- Can a hospital or research university hold classified records, and how do FCL and HIPAA rules interact?
- Can a law firm representing a government client retain classified discovery, and who declassifies it after the case?
- Can a multinational company use ISO 15489 as a single recordkeeping standard across all of its countries?
- Can a private citizen request that a specific classified record be declassified?
- Can AI and machine learning reliably assist with declassification review of classified records?