NIST 800-53 REV 5 • ACCESS CONTROL
AC-16(4) — Association of Attributes by Authorized Individuals
Provide the capability to associate {{ insert: param, ac-16.4_prm_1 }} with {{ insert: param, ac-16.4_prm_2 }} by authorized individuals (or processes acting on behalf of individuals).
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
No related controls listed
Supplemental Guidance
Systems, in general, provide the capability for privileged users to assign security and privacy attributes to system-defined subjects (e.g., users) and objects (e.g., directories, files, and ports). Some systems provide additional capability for general users to assign security and privacy attributes to additional objects (e.g., files, emails). The association of attributes by authorized individuals is described in the design documentation. The support provided by systems can include prompting users to select security and privacy attributes to be associated with information objects, employing automated mechanisms to categorize information with attributes based on defined policies, or ensuring that the combination of the security or privacy attributes selected is valid. Organizations consider the creation, deletion, or modification of attributes when defining auditable events.
Practitioner Notes
Authorized individuals must be able to manually associate security attributes with data when automatic methods are not sufficient or available.
Example 1: In Microsoft Office, train users to apply sensitivity labels via the Sensitivity button on the ribbon before saving or sharing any document. Make this a mandatory step in your SOP for document creation. Users select from your organization's approved label set.
Example 2: For email, require users to select a classification label before sending. In Outlook with the Purview Information Protection add-in, configure the policy to require a label before send. Users who try to send without a label get a prompt to add one.