NIST 800-53 REV 5 • ACCESS CONTROL

AC-16(2)Attribute Value Changes by Authorized Individuals

Provide authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security and privacy attributes.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

The content or assigned values of attributes can directly affect the ability of individuals to access organizational information. Therefore, it is important for systems to be able to limit the ability to create or modify attributes to authorized individuals.

Practitioner Notes

Only authorized individuals should be able to change security attributes on data. You do not want just anyone downgrading a classification label to bypass protections.

Example 1: In Microsoft Purview, configure label policies so that only users in the Classification-Managers group can downgrade a sensitivity label. Regular users can apply or upgrade labels but need approval to remove or lower them. Set this under Label policies → Require justification for downgrade.

Example 2: For file share classification, set NTFS permissions on the classification metadata so that only the data owner and the security team can modify the label. Use File Server Resource Manager (FSRM) classification rules and restrict who can modify the classification properties.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management