Navigate

AU-10(4)

AU-10(4): Validate Binding of Information Reviewer Identity

The information system:

(a): Validates the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer between [organization-defined security domains]; and

(b): Performs [organization-defined actions] in the event of a validation error.

Supplemental

This control enhancement prevents the modification of information between review and transfer/release. The validation of bindings can be achieved, for example, by the use of cryptographic checksums. Organizations determine validations are in response to user requests or generated automatically.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
None

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to AU-10(4).

Control	Description
AC-4	The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [organization-defined information flow control policies].
AC-16	The organization: a: Provides the means to associate [organization-defined types of security attributes] having [organization-defined security attribute values] with information in storage, in process, and/or in transmission; b: Ensures that the security attribute associations are made and retained with the information; c: Establishes the permitted [organization-defined security attributes] for [organization-defined information systems]; and d: Determines the permitted [organization-defined values or ranges] for each of the established security attributes.

Control

Description

AC-4

The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [organization-defined information flow control policies].

AC-16

The organization:

a: Provides the means to associate [organization-defined types of security attributes] having [organization-defined security attribute values] with information in storage, in process, and/or in transmission;

b: Ensures that the security attribute associations are made and retained with the information;

c: Establishes the permitted [organization-defined security attributes] for [organization-defined information systems]; and

d: Determines the permitted [organization-defined values or ranges] for each of the established security attributes.

Enhancements

The controls below (if any) add on to the requirements of AU-10(4).

Control	Description
No controls

Related CCIs

The CCIs below are tied to AU-10(4).

CCI	Definition
CCI-001341	Validate the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between organization-defined security domains.
CCI-001907	Defines the security domains which will require the system validate the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer.
CCI-001908	Defines the action the system is to perform in the event of an information reviewer identity binding validation error.
CCI-001909	Perform organization-defined actions in the event of an information reviewer identity binding validation error.