CCI-003713

Dynamically associate privacy attributes with organization-defined objects in accordance with organization-defined privacy policies as information is created and combined.

Implementation Guidance

Determine if: - security attributes are dynamically associated with [AC-16(01)_ODP[01]; subjects with which security attributes are to be dynamically associated as information is created and combined are defined] in accordance with the following security policies as information is created and combined: [AC-16(01)_ODP[05]; security policies requiring dynamic association of security attributes with subjects and objects are defined]. - security attributes are dynamically associated with [AC-16(01)_ODP[02]; objects with which security attributes are to be dynamically associated as information is created and combined are defined] in accordance with the following security policies as information is created and combined: [AC-16(01)_ODP[05]; security policies requiring dynamic association of security attributes with subjects and objects are defined]. - privacy attributes are dynamically associated with [AC-16(01)_ODP[03]; subjects with which privacy attributes are to be dynamically associated as information is created and combined are defined] in accordance with the following privacy policies as information is created and combined: [AC-16(01)_ODP[06]; privacy policies requiring dynamic association of privacy attributes with subjects and objects are defined.] - privacy attributes are dynamically associated with [AC-16(01)_ODP[04]; objects with which privacy attributes are to be dynamically associated as information is created and combined are defined] in accordance with the following privacy policies as information is created and combined: [AC-16(01)_ODP[06]; privacy policies requiring dynamic association of privacy attributes with subjects and objects are defined].

Validation Procedures

Examine: [SELECT FROM: Access control policy; procedures addressing dynamic association of security and privacy attributes to information; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: System/network administrators; organizational personnel with information security and privacy responsibilities; system developers]. Test: [SELECT FROM: Automated mechanisms implementing dynamic association of security and privacy attributes to information].

The controls below (if any) were marked by NIST as being related to CCI-003713.