NIST 800-53 REV 5 • ACCESS CONTROL

AC-16(10)Attribute Configuration by Authorized Individuals

Provide authorized individuals the capability to define or change the type and value of security and privacy attributes available for association with subjects and objects.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

The content or assigned values of security and privacy attributes can directly affect the ability of individuals to access organizational information. Thus, it is important for systems to be able to limit the ability to create or modify the type and value of attributes available for association with subjects and objects to authorized individuals only.

Practitioner Notes

Only authorized individuals should be able to configure how security attributes work — defining new labels, setting protections, and determining who can apply them.

Example 1: In Microsoft Purview, restrict the ability to create and modify sensitivity labels to the Compliance Administrator role. Regular users can apply labels but cannot create new ones or change label settings. Configure this under Purview → Roles & Scopes.

Example 2: For FSRM classification rules, restrict access to the File Server Resource Manager console to the server admin team only. Document which individuals are authorized to create or modify classification rules, and include this in your access authorization table in the SSP.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management