AC-16(04) Association of Attributes by Authorized Individuals

Provide the capability to associate ac-16.4_prm_1 with ac-16.4_prm_2 by authorized individuals (or processes acting on behalf of individuals).

Parameter ID Definition
ac-16.4_prm_1 organization-defined security and privacy attributes
ac-16.4_prm_2 organization-defined subjects and objects
ac-16.04_odp.01 security attributes
ac-16.04_odp.02 security attributes
ac-16.04_odp.03 privacy attributes
ac-16.04_odp.04 privacy attributes
ac-16.04_odp.05 subjects
ac-16.04_odp.06 objects
ac-16.04_odp.07 subjects
ac-16.04_odp.08 objects

Baselines

Guidance

Systems, in general, provide the capability for privileged users to assign security and privacy attributes to system-defined subjects (e.g., users) and objects (e.g., directories, files, and ports). Some systems provide additional capability for general users to assign security and privacy attributes to additional objects (e.g., files, emails). The association of attributes by authorized individuals is described in the design documentation. The support provided by systems can include prompting users to select security and privacy attributes to be associated with information objects, employing automated mechanisms to categorize information with attributes based on defined policies, or ensuring that the combination of the security or privacy attributes selected is valid. Organizations consider the creation, deletion, or modification of attributes when defining auditable events.