NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION
SC-16 — Transmission of Security and Privacy Attributes
Associate {{ insert: param, sc-16_prm_1 }} with information exchanged between systems and between system components.
Supplemental Guidance
Security and privacy attributes can be explicitly or implicitly associated with the information contained in organizational systems or system components. Attributes are abstractions that represent the basic properties or characteristics of an entity with respect to protecting information or the management of personally identifiable information. Attributes are typically associated with internal data structures, including records, buffers, and files within the system. Security and privacy attributes are used to implement access control and information flow control policies; reflect special dissemination, management, or distribution instructions, including permitted uses of personally identifiable information; or support other aspects of the information security and privacy policies. Privacy attributes may be used independently or in conjunction with security attributes.
Practitioner Notes
When data moves between systems, its security labels and privacy attributes (classification level, handling caveats, access restrictions) must travel with it and be interpreted correctly by the receiving system.
Example 1: Use Microsoft Purview Information Protection sensitivity labels. When a document labeled "Confidential" is emailed or shared, the label travels with the file. The receiving system (Exchange, SharePoint, Teams) reads the label and enforces the associated protections automatically.
Example 2: In DoD environments, use data tags in email headers (X-headers) that indicate the classification level and handling caveats. Your email gateway reads these tags and applies appropriate routing and encryption rules based on the data's sensitivity.