Navigate

AU-10(4)

AU-10(4): Validate Binding of Information Reviewer Identity

(a): Validate the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between [security domains for which the binding of the information reviewer identity to the information is to be validated at transfer or release are defined;] ; and

(b): Perform [actions to be performed in the event of a validation error are defined;] in the event of a validation error.

Supplemental

Validating the binding of the information reviewer identity to the information at transfer or release points prevents the unauthorized modification of information between review and the transfer or release. The validation of bindings can be achieved by using cryptographic checksums. Organizations determine if validations are in response to user requests or generated automatically.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
CDS - Multilevel, CDS - Transfer, NC3

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to AU-10(4).

Control	Description
AC-4	Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [information flow control policies within the system and between connected systems are defined;].
AC-16	a: Provide the means to associate [one of ] with [one of ] for information in storage, in process, and/or in transmission; b: Ensure that the attribute associations are made and retained with the information; c: Establish the following permitted security and privacy attributes from the attributes defined in [AC-16a](#ac-16_smt.a) for [one of ]: [one of ]; d: Determine the following permitted attribute values or ranges for each of the established attributes: [attribute values or ranges for established attributes are defined;]; e: Audit changes to attributes; and f: Review [one of ] for applicability [one of ].

Control

Description

AC-4

Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [information flow control policies within the system and between connected systems are defined;].

AC-16

a: Provide the means to associate [one of ] with [one of ] for information in storage, in process, and/or in transmission;

b: Ensure that the attribute associations are made and retained with the information;

c: Establish the following permitted security and privacy attributes from the attributes defined in [AC-16a](#ac-16_smt.a) for [one of ]: [one of ];

d: Determine the following permitted attribute values or ranges for each of the established attributes: [attribute values or ranges for established attributes are defined;];

e: Audit changes to attributes; and

f: Review [one of ] for applicability [one of ].

Enhancements

The controls below (if any) add on to the requirements of AU-10(4).

Control	Description
No controls

Related CCIs

The CCIs below are tied to AU-10(4).

CCI	Definition
CCI-001341	Validate the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between organization-defined security domains.
CCI-001907	Defines the security domains which will require the system validate the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer.
CCI-001908	Defines the action the system is to perform in the event of an information reviewer identity binding validation error.
CCI-001909	Perform organization-defined actions in the event of an information reviewer identity binding validation error.