AC-16

AC-16 SECURITY ATTRIBUTES

Overview

Number	Title	Impact	Priority	Subject Area
AC-16	Security Attributes		P0	Access Control

Instructions
The organization: AC-16a. Provides the means to associate Assignment: organization-defined types of security attributes having Assignment: organization-defined security attribute values with information in storage, in process, and/or in transmission; AC-16b. Ensures that the security attribute associations are made and retained with the information; AC-16c. Establishes the permitted Assignment: organization-defined security attributes for Assignment: organization-defined information systems; and AC-16d. Determines the permitted Assignment: organization-defined values or ranges for each of the established security attributes.

Instructions

The organization:

AC-16a.

Provides the means to associate Assignment: organization-defined types of security attributes having Assignment: organization-defined security attribute values with information in storage, in process, and/or in transmission;

AC-16b.

Ensures that the security attribute associations are made and retained with the information;

AC-16c.

Establishes the permitted Assignment: organization-defined security attributes for Assignment: organization-defined information systems; and

AC-16d.

Determines the permitted Assignment: organization-defined values or ranges for each of the established security attributes.

Guidance
Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. These attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, to cause information to flow among objects, or to change the information system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of security attributes to subjects and objects is referred to as binding and is typically inclusive of setting the attribute value and the attribute type. Security attributes when bound to data/information, enables the enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms. The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information. Organizations can define the types of attributes needed for selected information systems to support missions/business functions. There is potentially a wide range of values that can be assigned to any given security attribute. Release markings could include, for example, US only, NATO, or NOFORN (not releasable to foreign nationals). By specifying permitted attribute ranges and values, organizations can ensure that the security attribute values are meaningful and relevant. The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. Security labels include, for example, access authorizations, data life cycle protection (i.e., encryption and data expiration), nationality, affiliation as contractor, and classification of information in accordance with legal and compliance requirements. The term security marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. The AC-16 base control represents the requirement for user-based attribute association (marking). The enhancements to AC-16 represent additional requirements including information system-based attribute association (labeling). Types of attributes include, for example, classification level for objects and clearance (access authorization) level for subjects. An example of a value for both of these attribute types is Top Secret.

Guidance

Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. These attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, to cause information to flow among objects, or to change the information system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of security attributes to subjects and objects is referred to as binding and is typically inclusive of setting the attribute value and the attribute type. Security attributes when bound to data/information, enables the enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms. The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information.
Organizations can define the types of attributes needed for selected information systems to support missions/business functions. There is potentially a wide range of values that can be assigned to any given security attribute. Release markings could include, for example, US only, NATO, or NOFORN (not releasable to foreign nationals). By specifying permitted attribute ranges and values, organizations can ensure that the security attribute values are meaningful and relevant. The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. Security labels include, for example, access authorizations, data life cycle protection (i.e., encryption and data expiration), nationality, affiliation as contractor, and classification of information in accordance with legal and compliance requirements. The term security marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. The AC-16 base control represents the requirement for user-based attribute association (marking). The enhancements to AC-16 represent additional requirements including information system-based attribute association (labeling). Types of attributes include, for example, classification level for objects and clearance (access authorization) level for subjects. An example of a value for both of these attribute types is Top Secret.

Enhancements

AC-16 (1) Dynamic Attribute Association

Dynamic association of security attributes is appropriate whenever the security characteristics of information changes over time. Security attributes may change, for example, due to information aggregation issues (i.e., the security characteristics of individual information elements are different from the combined elements), changes in individual access authorizations (i.e., privileges), and changes in the security category of information.

The information system dynamically associates security attributes with Assignment: organization-defined subjects and objects in accordance with Assignment: organization-defined security policies as information is created and combined.

AC-16 (2) Attribute Value Changes By Authorized Individuals

The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information. Therefore, it is important for information systems to be able to limit the ability to create or modify security attributes to authorized individuals.

The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security attributes.

AC-16 (3) Maintenance Of Attribute Associations By Information System

Maintaining the association and integrity of security attributes to subjects and objects with sufficient assurance helps to ensure that the attribute associations can be used as the basis of automated policy actions. Automated policy actions include, for example, access control decisions or information flow control decisions.

The information system maintains the association and integrity of Assignment: organization-defined security attributes to Assignment: organization-defined subjects and objects.

AC-16 (4) Association Of Attributes By Authorized Individuals

The support provided by information systems can vary to include: (i) prompting users to select specific security attributes to be associated with specific information objects; (ii) employing automated mechanisms for categorizing information with appropriate attributes based on defined policies; or (iii) ensuring that the combination of selected security attributes selected is valid. Organizations consider the creation, deletion, or modification of security attributes when defining auditable events.

The information system supports the association of Assignment: organization-defined security attributes with Assignment: organization-defined subjects and objects by authorized individuals (or processes acting on behalf of individuals).

AC-16 (5) Attribute Displays For Output Devices

Information system outputs include, for example, pages, screens, or equivalent. Information system output devices include, for example, printers and video displays on computer workstations, notebook computers, and personal digital assistants.

The information system displays security attributes in human-readable form on each object that the system transmits to output devices to identify Assignment: organization-identified special dissemination, handling, or distribution instructions using Assignment: organization-identified human-readable, standard naming conventions.

AC-16 (6) Maintenance Of Attribute Association By Organization

This control enhancement requires individual users (as opposed to the information system) to maintain associations of security attributes with subjects and objects.

The organization allows personnel to associate, and maintain the association of Assignment: organization-defined security attributes with Assignment: organization-defined subjects and objects in accordance with Assignment: organization-defined security policies.

AC-16 (7) Consistent Attribute Interpretation

In order to enforce security policies across multiple components in distributed information systems (e.g., distributed database management systems, cloud-based systems, and service-oriented architectures), organizations provide a consistent interpretation of security attributes that are used in access enforcement and flow enforcement decisions. Organizations establish agreements and processes to ensure that all distributed information system components implement security attributes with consistent interpretations in automated access/flow enforcement actions.

The organization provides a consistent interpretation of security attributes transmitted between distributed information system components.

AC-16 (8) Association Techniques / Technologies

The association (i.e., binding) of security attributes to information within information systems is of significant importance with regard to conducting automated access enforcement and flow enforcement actions. The association of such security attributes can be accomplished with technologies/techniques providing different levels of assurance. For example, information systems can cryptographically bind security attributes to information using digital signatures with the supporting cryptographic keys protected by hardware devices (sometimes known as hardware roots of trust).

The information system implements Assignment: organization-defined techniques or technologies with Assignment: organization-defined level of assurance in associating security attributes to information.

AC-16 (9) Attribute Reassignment

Validated re-grading mechanisms are employed by organizations to provide the requisite levels of assurance for security attribute reassignment activities. The validation is facilitated by ensuring that re-grading mechanisms are single purpose and of limited function. Since security attribute reassignments can affect security policy enforcement actions (e.g., access/flow enforcement decisions), using trustworthy re-grading mechanisms is necessary to ensure that such mechanisms perform in a consistent/correct mode of operation.

The organization ensures that security attributes associated with information are reassigned only via re-grading mechanisms validated using Assignment: organization-defined techniques or procedures.

AC-16 (10) Attribute Configuration By Authorized Individuals

The information system provides authorized individuals the capability to define or change the type and value of security attributes available for association with subjects and objects.