NIST 800-53 REV 5 • ACCESS CONTROL
AC-4(1) — Object Security and Privacy Attributes
Use {{ insert: param, ac-4.1_prm_1 }} associated with {{ insert: param, ac-4.1_prm_2 }} to enforce {{ insert: param, ac-04.01_odp.09 }} as a basis for flow control decisions.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
No related controls listed
Supplemental Guidance
Information flow enforcement mechanisms compare security and privacy attributes associated with information (i.e., data content and structure) and source and destination objects and respond appropriately when the enforcement mechanisms encounter information flows not explicitly allowed by information flow policies. For example, an information object labeled Secret would be allowed to flow to a destination object labeled Secret, but an information object labeled Top Secret would not be allowed to flow to a destination object labeled Secret. A dataset of personally identifiable information may be tagged with restrictions against combining with other types of datasets and, thus, would not be allowed to flow to the restricted dataset. Security and privacy attributes can also include source and destination addresses employed in traffic filter firewalls. Flow enforcement using explicit security or privacy attributes can be used, for example, to control the release of certain types of information.
Practitioner Notes
This enhancement ensures that security and privacy attributes — like classification labels — travel with the data as it moves between systems. The receiving system checks those attributes before granting access.
Example 1: Use Microsoft Information Protection labels that embed into the file metadata. When a labeled document is shared via email, the recipient's Exchange Online checks the label and enforces the associated DLP policy — even if the document ends up on a different tenant.
Example 2: In a cross-domain environment, configure your cross-domain solution to read file metadata headers for classification markings. Only files with approved markings (e.g., UNCLASSIFIED or CUI) can pass through. Files without proper labels are quarantined for review.