Navigate

AC-16 (2)

AC-16 (2): Attribute Value Changes By Authorized Individuals

The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security attributes.

Supplemental

The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information. Therefore, it is important for information systems to be able to limit the ability to create or modify security attributes to authorized individuals.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
Cross Domain (Access), Cross Domain (Multilevel), Cross Domain (Transfer), NC3

Related Controls

The controls below (if any) were marked by NIST as being related to AC-16 (2).

Control	Description
AC-6	The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.
AU-2	The organization: AU-2a.: Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events]; AU-2b.: Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events; AU-2c.: Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and AU-2d.: Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event].

Control

Description

AC-6

The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

AU-2

The organization:

AU-2a.: Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events];

AU-2b.: Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;

AU-2c.: Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and

AU-2d.: Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event].

Enhancements

The controls below (if any) add on to the requirements of AC-16 (2).

Control	Description
No controls

Related CCIs

The CCIs below are tied to AC-16 (2).

CCI	Definition
CCI-001425	The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to change the value of associated security attributes.
CCI-001559	The organization identifies the individuals authorized to change the value of associated security attributes.
CCI-002276	The organization identifies the individuals authorized to define the value of associated security attributes.
CCI-002277	The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to define the value of associated security attributes.