XMLSPIF.ORG contains the specification of an open XML SPIF (Security Policy Information File) format, including background information on the specification, example SPIFs, and information on those who support xmlspif.org.

Security Labels & SPIFs

Security labels provide a way of indicating the sensitivity of a piece of information, for example e-mail message, document, directory information. They indicate to both the recipient and the associated applications how the information should be handled.

A security labelling policy defines all of the security labels that may be used with that policy so that security labels can be:

  1. consistently applied
  2. consistently displayed
  3. subjected to an access control decision

Many products that handle security labels will often use their own proprietary mechanisms for configuring the security labelling policy. Thus when faced with configuring the security labelling policy within an organisation that uses many disparate products, it can be difficult to ensure that the policy has been configured correctly in all those products.

A security labelling policy is often represented in a file, referred to as a SPIF (Security Policy Information File). A key benefit of using a SPIF is that it provides an electronic representation of the complete security labelling policy in one place that can be shared and installed on systems that need to implement the security labelling policy.

Whilst there are some standards defining SPIFs (in particular SDN.801 and X.841), there is no industry consensus on which SPIF format to use and the standardized SPIFs do not contain all of the elements that some security labelling policies require.

Why an Open XML SPIF?

XML is a widely adopted standard that can be easily used by many systems, and there are many tools for editing, manipulating and transforming XML data. XML is a good choice as a base syntax for defining a SPIF. Unfortunately there is no standardized XML SPIF.

For organizations deploying systems supporting security labelling policy, having a single SPIF format is highly desirable, particularly when products are obtained from more than one vendor.

An open specification makes it straightforward for widespread adoption and use.


The XML SPIF from xmlspif.org is defined here. The original specification was developed by SMHS, and the version published on this site incorporates a number of extensions developed in by SMHS and supporters of xmlspif.org. Updates to the specification will be managed by SMHS, following a consultative process involving all supporters of xmlspif.org, and making changes only where there is consensus between xmlspif.org supporters.

Xmlspif.org supporters

A number of organizations support xmlspif.org and the open XML SPIF specification. Xmlspif.org welcomes new supporters, and any organization that supports the goals set out on this website may become a supporter.

How to support xmlspif.org

If you wish to support xmlspif.org, please contact us using the details at the bottom of the Supporters page.