CCI-002294

Defines the objects to be associated, and that association maintained, with organization-defined security attributes in accordance with organization-defined security policies.

Implementation Guidance

Determine if: - personnel are required to associate and maintain the association of [AC-16(06)_ODP[01]; security attributes to be associated with subjects are defined] with [AC-16(06)_ODP[05]; subjects to be associated with information security attributes are defined] in accordance with [AC-16(06)_ODP[09]; security policies that require personnel to associate and maintain the association of security and privacy attributes with subjects and objects]. - personnel are required to associate and maintain the association of [AC-16(06)_ODP[02]; security attributes to be associated with objects are defined] with [AC-16(06)_ODP[06]; objects to be associated with information security attributes are defined] in accordance with [AC-16(06)_ODP[09]; security policies that require personnel to associate and maintain the association of security and privacy attributes with subjects and objects]. - personnel are required to associate and maintain the association of [AC-16(06)_ODP[03]; privacy attributes to be associated with subjects are defined] with [AC-16(06)_ODP[07]; subjects to be associated with privacy attributes are defined] in accordance with [AC-16(06)_ODP[10]; privacy policies that require personnel to associate and maintain the association of security and privacy attributes with subjects and objects]. - personnel are required to associate and maintain the association of [AC-16(06)_ODP[04]; privacy attributes to be associated with objects are defined] with [AC-16(06)_ODP[08]; objects to be associated with privacy attributes are defined] in accordance with [AC-16(06)_ODP[10]; privacy policies that require personnel to associate and maintain the association of security and privacy attributes with subjects and objects].

Validation Procedures

Examine: [SELECT FROM: Access control policy; procedures addressing association of security and privacy attributes with subjects and objects; system security plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with responsibilities for associating and maintaining association of security and privacy attributes with subjects and objects; organizational personnel with information security and privacy responsibilities; system developers]. Test: [SELECT FROM: Mechanisms supporting associations of security and privacy attributes to subjects and objects].

The controls below (if any) were marked by NIST as being related to CCI-002294.