[Not part of any baseline] Dynamically associate security and privacy attributes with [Assignment: organization-defined subjects and objects] in accordance with the following security and privacy policies as information is created and combined: [Assignment: organization-defined security and privacy policies]. [Not part of any baseline] Provide authorized individuals [or processes acting on behalf of individuals] the capability to define or change the value of associated security and privacy attributes. [Not part of any baseline] Maintain the association and integrity of [Assignment: organization-defined security and privacy attributes] to [Assignment: organization-defined subjects and objects]. [Not part of any baseline]Control Statement
Control Enhancements
AC-16[1]: Dynamic Attribute Association
Baseline[s]:
AC-16[2]: Attribute Value Changes by Authorized Individuals
Baseline[s]:
AC-16[3]: Maintenance of Attribute Associations by System
Baseline[s]:
AC-16[4]: Association of Attributes by Authorized Individuals
Baseline[s]:
Provide the capability to associate [Assignment: organization-defined security and privacy attributes] with [Assignment: organization-defined subjects and objects] by authorized individuals [or processes acting on behalf of individuals].
AC-16[5]: Attribute Displays on Objects to Be Output
Baseline[s]:
[Not part of any baseline]
Display security and privacy attributes in human-readable form on each object that the system transmits to output devices to identify [Assignment: organization-defined special dissemination, handling, or distribution instructions] using [Assignment: organization-defined human-readable, standard naming conventions].
AC-16[6]: Maintenance of Attribute Association
Baseline[s]:
[Not part of any baseline]
Require personnel to associate and maintain the association of [Assignment: organization-defined security and privacy attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security and privacy policies].
AC-16[7]: Consistent Attribute Interpretation
Baseline[s]:
[Not part of any baseline]
Provide a consistent interpretation of security and privacy attributes transmitted between distributed system components.
AC-16[8]: Association Techniques and Technologies
Baseline[s]:
[Not part of any baseline]
Implement [Assignment: organization-defined techniques and technologies] in associating security and privacy attributes to information.
AC-16[9]: Attribute Reassignment – Regrading Mechanisms
Baseline[s]:
[Not part of any baseline]
Change security and privacy attributes associated with information only via regrading mechanisms validated using [Assignment: organization-defined techniques or procedures].
AC-16[10]: Attribute Configuration by Authorized Individuals
Baseline[s]:
[Not part of any baseline]
Provide authorized individuals the capability to define or change the type and value of security and privacy attributes available for association with subjects and objects.
- PCF Compliance
- Control Description
- Supplemental Guidance
Page last updated:
PCF Compliance
This control is P0 priority and not required for FISMA Moderate.
Control Description
The organization:
- Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;
- Ensures that the security attribute associations are made and retained with the information;
- Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
- Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes.
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. These attributes may be associated with active entities [i.e., subjects] that have the potential to send or receive information, to cause information to flow among objects, or to change the information system state. These attributes may also be associated with passive entities [i.e., objects] that contain or receive information. The association of security attributes to subjects and objects is referred to as binding and is typically inclusive of setting the attribute value and the attribute type. Security attributes when bound to data/information, enables the enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms. The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information. Organizations can define the types of attributes needed for selected information systems to support missions/business functions. There is potentially a wide range of values that can be assigned to any given security attribute. Release markings could include, for example, US only, NATO, or NOFORN [not releasable to foreign nationals]. By specifying permitted attribute ranges and values, organizations can ensure that the security attribute values are meaningful and relevant. The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. Security labels include, for example, access authorizations, data life cycle protection [i.e., encryption and data expiration], nationality, affiliation as contractor, and classification of information in accordance with legal and compliance requirements. The term security marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. The AC-16 base control represents the requirement for user-based attribute association [marking]. The enhancements to AC-16 represent additional requirements including information system-based attribute association [labeling]. Types of attributes include, for example, classification level for objects and clearance [access authorization] level for subjects. An example of a value for both of these attribute types is Top Secret.