Navigate

CCI-003708

CCI-003708 Definition

Review organization-defined security attributes for applicability on an organization-defined frequency.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if: - [AC-16_ODP[07]; security attributes defined as part of AC-16a that are permitted for systems are defined] are reviewed for applicability [AC-16_ODP[10]; the frequency at which to review security attributes for applicability is defined]. - [AC-16_ODP[08]; privacy attributes defined as part of AC-16a that are permitted for systems are defined] are reviewed for applicability [AC-16_ODP[11]; the frequency at which to review privacy attributes for applicability is defined].

Validation Procedures

Examine: [SELECT FROM: Access control policy; procedures addressing the association of security and privacy attributes to information in storage, in process, and in transmission; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: System/network administrators; organizational personnel with information security and privacy responsibilities; system developers]. Test: [SELECT FROM: Organizational capability supporting and maintaining the association of security and privacy attributes to information in storage, in process, and in transmission].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003708.

Control	Description
AC-16	a: Provide the means to associate [one of ] with [one of ] for information in storage, in process, and/or in transmission; b: Ensure that the attribute associations are made and retained with the information; c: Establish the following permitted security and privacy attributes from the attributes defined in [AC-16a](#ac-16_smt.a) for [one of ]: [one of ]; d: Determine the following permitted attribute values or ranges for each of the established attributes: [attribute values or ranges for established attributes are defined;]; e: Audit changes to attributes; and f: Review [one of ] for applicability [one of ].

Control

Description

AC-16

a: Provide the means to associate [one of ] with [one of ] for information in storage, in process, and/or in transmission;

b: Ensure that the attribute associations are made and retained with the information;

c: Establish the following permitted security and privacy attributes from the attributes defined in [AC-16a](#ac-16_smt.a) for [one of ]: [one of ];

d: Determine the following permitted attribute values or ranges for each of the established attributes: [attribute values or ranges for established attributes are defined;];

e: Audit changes to attributes; and

f: Review [one of ] for applicability [one of ].