home || catalog: SP800-53rev3 / class: Technical / family: (AC) Access Control ||
search controls:
search nistpubs:

AC

AC-01
AC-02
AC-03
AC-04
AC-05
AC-06
AC-07
AC-08
AC-09
AC-10
AC-11
AC-12
AC-13
AC-14
AC-15
AC-16 *
AC-17
AC-18
AC-19
AC-20
AC-21
AC-22

AT
AU
CA
CM
CP
IA
IR
MA
MP
PE
PL
PM
PS
RA
SA
SC
SI
MMMMM

  AC-16: Security Attributes  

base control objective:
The information system supports and maintains the binding of [Assignment: organization-defined security attributes] to information in storage, in process, and in transmission.

supplemental objective information:
Security attributes are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These attributes are typically associated with internal data structures (e.g., records, buffers, files) within the information system and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. The term security label is often used to associate a set of security attributes with a specific information object as part of the data structure for that object (e.g., user access privileges, nationality, affiliation as contractor).

enhancements to the base objective:

(1) The information system dynamically reconfigures security attributes in accordance with an identified security policy as information is created and combined.

(2) The information system allows authorized entities to change security attributes.

(3) The information system maintains the binding of security attributes to information with sufficient assurance that the information--attribute association can be used as the basis for automated policy actions. Enhanced Supplemental Guidance: Examples of automated policy actions include automated access control decisions (e.g., Mandatory Access Control decisions), or decisions to release (or not release) information (e.g., information flows via cross domain systems).

(4) The information system allows authorized users to associate security attributes with information. Enhanced Supplemental Guidance: The support provided by the information system can vary from prompting users to select security attributes to be associated with specific information objects, to ensuring that the combination of attributes selected is valid.

(5) The information system displays security attributes in human-readable form on each object (page, screen, or equivalent) that the system outputs to external output devices to identify [Assignment: organization-identified set of special dissemination, handling, or distribution instructions] using [Assignment: organization-identified human readable, standard naming conventions].
Enhancement Supplemental Guidance: Information system output devices include, for example, printers and video displays on computer terminals, monitors, screens on notebook/laptop computers and personal digital assistants.

mapping to FIPS199 baseline:

  LOW: null     MOD: null     HIGH: null  

related (regimented) controls:

AC-03   Access Enforcement
AC-04   Information Flow Enforcement
SC-16   Transmission of Security Attributes
MP-03   Media Marking

documents referenced in SP800-53rev3 for AC-16:

Document Date Status Title
FIPS 188 September, 1994 current   Standard Security Label for Information Transfer, September 1994
NIST SP800-12 October, 1995 current   An Introduction to Computer Security: The NIST Handbook
NIST SP800-57, part1 August, 2005 current   Recommendation for Key Management, part 1
NIST SP800-57, part2 August, 2005 current   Recommendation for Key Management, part 2

Search SP800-53rev3 catalog: