AC-16 Security and Privacy Attributes
a. Provide the means to associate ac-16_prm_1 with ac-16_prm_2 for information in storage, in process, and/or in transmission;
b. Ensure that the attribute associations are made and retained with the information;
c. Establish the following permitted security and privacy attributes from the attributes defined in [AC-16a](#ac-16_smt.a) for ac-16_prm_3: ac-16_prm_4;
d. Determine the following permitted attribute values or ranges for each of the established attributes: ac-16_odp.09;
e. Audit changes to attributes; and
f. Review ac-16_prm_6 for applicability ac-16_prm_7.
|ac-16_prm_1||organization-defined types of security and privacy attributes|
|ac-16_prm_2||organization-defined security and privacy attribute values|
|ac-16_prm_4||organization-defined security and privacy attributes|
|ac-16_prm_6||organization-defined security and privacy attributes|
|ac-16_odp.01||types of security attributes|
|ac-16_odp.02||types of privacy attributes|
|ac-16_odp.03||security attribute values|
|ac-16_odp.04||privacy attribute values|
|ac-16_odp.09||attribute values or ranges|
Information is represented internally within systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures, such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions that represent the basic properties or characteristics of active and passive entities with respect to safeguarding information. Privacy attributes, which may be used independently or in conjunction with security attributes, represent the basic properties or characteristics of active or passive entities with respect to the management of personally identifiable information. Attributes can be either explicitly or implicitly associated with the information contained in organizational systems or system components.
Attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, cause information to flow among objects, or change the system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of attributes to subjects and objects by a system is referred to as binding and is inclusive of setting the attribute value and the attribute type. Attributes, when bound to data or information, permit the enforcement of security and privacy policies for access control and information flow control, including data retention limits, permitted uses of personally identifiable information, and identification of personal information within data objects. Such enforcement occurs through organizational processes or system functions or mechanisms. The binding techniques implemented by systems affect the strength of attribute binding to information. Binding strength and the assurance associated with binding techniques play important parts in the trust that organizations have in the information flow enforcement process. The binding techniques affect the number and degree of additional reviews required by organizations. The content or assigned values of attributes can directly affect the ability of individuals to access organizational information.
Organizations can define the types of attributes needed for systems to support missions or business functions. There are many values that can be assigned to a security attribute. By specifying the permitted attribute ranges and values, organizations ensure that attribute values are meaningful and relevant. Labeling refers to the association of attributes with the subjects and objects represented by the internal data structures within systems. This facilitates system-based enforcement of information security and privacy policies. Labels include classification of information in accordance with legal and compliance requirements (e.g., top secret, secret, confidential, controlled unclassified), information impact level; high value asset information, access authorizations, nationality; data life cycle protection (i.e., encryption and data expiration), personally identifiable information processing permissions, including individual consent to personally identifiable information processing, and contractor affiliation. A related term to labeling is marking. Marking refers to the association of attributes with objects in a human-readable form and displayed on system media. Marking enables manual, procedural, or process-based enforcement of information security and privacy policies. Security and privacy labels may have the same value as media markings (e.g., top secret, secret, confidential). See MP-3 (Media Marking).
- OMB A-130 Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016.
- FIPS 140-3 National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3.
- FIPS 186-4 National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4.
- SP 800-162 Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of August 2, 2019.
- SP 800-178 Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178.
Control Enhancements 10
- AC-16(01) Dynamic Attribute Association L M H P
- AC-16(02) Attribute Value Changes by Authorized Individuals L M H P
- AC-16(03) Maintenance of Attribute Associations by System L M H P
- AC-16(04) Association of Attributes by Authorized Individuals L M H P
- AC-16(05) Attribute Displays on Objects to Be Output L M H P
- AC-16(06) Maintenance of Attribute Association L M H P
- AC-16(07) Consistent Attribute Interpretation L M H P
- AC-16(08) Association Techniques and Technologies L M H P
- AC-16(09) Attribute Reassignment — Regrading Mechanisms L M H P
- AC-16(10) Attribute Configuration by Authorized Individuals L M H P
Related controls 16
- AC-03 Access Enforcement L M H P
- AC-04 Information Flow Enforcement L M H P
- AC-06 Least Privilege L M H P
- AC-21 Information Sharing L M H P
- AC-25 Reference Monitor L M H P
- AU-02 Event Logging L M H P
- AU-10 Non-repudiation L M H P
- MP-03 Media Marking L M H P
- PE-22 Component Marking L M H P
- PT-02 Authority to Process Personally Identifiable Information L M H P
- PT-03 Personally Identifiable Information Processing Purposes L M H P
- PT-04 Consent L M H P
- SC-11 Trusted Path L M H P
- SC-16 Transmission of Security and Privacy Attributes L M H P
- SI-12 Information Management and Retention L M H P
- SI-18 Personally Identifiable Information Quality Operations L M H P