CCI-002289

Provide the capability to associate organization-defined security attributes with organization-defined subjects by authorized individuals (or processes acting on behalf of individuals).

Implementation Guidance

Determine if: - authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate [AC-16(04)_ODP[01]; security attributes to be associated with subjects by authorized individuals (or processes acting on behalf of individuals) are defined] with [AC-16(04)_ODP[05]; subjects requiring the association of security attributes by authorized individuals (or processes acting on behalf of individuals) are defined]. - authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate [AC-16(04)_ODP[02]; security attributes to be associated with objects by authorized individuals (or processes acting on behalf of individuals) are defined] with [AC-16(04)_ODP[06]; objects requiring the association of security attributes by authorized individuals (or processes acting on behalf of individuals) are defined]. - authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate [AC-16(04)_ODP[03]; privacy attributes to be associated with subjects by authorized individuals (or processes acting on behalf of individuals) are defined] with [AC-16(04)_ODP[07]; subjects requiring the association of privacy attributes by authorized individuals (or processes acting on behalf of individuals) are defined]. - authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate [AC-16(04)_ODP[04]; privacy attributes to be associated with objects by authorized individuals (or processes acting on behalf of individuals) are defined] with [AC-16(04)_ODP[08]; objects requiring the association of privacy attributes by authorized individuals (or processes acting on behalf of individuals) are defined].

Validation Procedures

Examine: [SELECT FROM: Access control policy; procedures addressing the association of security and privacy attributes to information; system design documentation; system configuration settings and associated documentation; list of users authorized to associate security and privacy attributes to information; system prompts for privileged users to select security and privacy attributes to be associated with information objects; system audit records; system security plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with responsibilities for associating security and privacy attributes to information; organizational personnel with information security and privacy responsibilities; system developers]. Test: [SELECT FROM: Mechanisms supporting user associations of security and privacy attributes to information].

The controls below (if any) were marked by NIST as being related to CCI-002289.