NIST 800-53 REV 5 • ACCESS CONTROL

AC-16(9)Attribute Reassignment — Regrading Mechanisms

Change security and privacy attributes associated with information only via regrading mechanisms validated using {{ insert: param, ac-16.9_prm_1 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

A regrading mechanism is a trusted process authorized to re-classify and re-label data in accordance with a defined policy exception. Validated regrading mechanisms are used by organizations to provide the requisite levels of assurance for attribute reassignment activities. The validation is facilitated by ensuring that regrading mechanisms are single purpose and of limited function. Since security and privacy attribute changes can directly affect policy enforcement actions, implementing trustworthy regrading mechanisms is necessary to help ensure that such mechanisms perform in a consistent and correct mode of operation.

Practitioner Notes

When data needs to be regraded — its classification changed up or down — the system must support that through a controlled mechanism with proper authorization and audit trail.

Example 1: In Microsoft Purview, enable label downgrade justification. When a user changes a label from CUI to Internal, they must provide a written justification. The justification and the label change are logged in the Purview activity explorer for audit.

Example 2: Create an SOP for formal declassification requests. Route requests through a SharePoint workflow: the data owner submits a request, the classification authority reviews it, and upon approval the security team applies the new label. Store the complete chain in your records management system.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management