Detections
Analytics

800-53|AC-16

Title

SECURITY ATTRIBUTES

Description

The organization:

Supplemental

Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. These attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, to cause information to flow among objects, or to change the information system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of security attributes to subjects and objects is referred to as binding and is typically inclusive of setting the attribute value and the attribute type. Security attributes when bound to data/information, enables the enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms. The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information. Organizations can define the types of attributes needed for selected information systems to support missions/business functions. There is potentially a wide range of values that can be assigned to any given security attribute. Release markings could include, for example, US only, NATO, or NOFORN (not releasable to foreign nationals). By specifying permitted attribute ranges and values, organizations can ensure that the security attribute values are meaningful and relevant. The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. Security labels include, for example, access authorizations, data life cycle protection (i.e., encryption and data expiration), nationality, affiliation as contractor, and classification of information in accordance with legal and compliance requirements. The term security marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. The AC-16 base control represents the requirement for user-based attribute association (marking). The enhancements to AC-16 represent additional requirements including information system-based attribute association (labeling). Types of attributes include, for example, classification level for objects and clearance (access authorization) level for subjects. An example of a value for both of these attribute types is Top Secret.

Reference Item Details

Related: AC-21,AC-3,AC-4,AC-6,AU-10,AU-2,MP-3,SC-16

Category: ACCESS CONTROL

Family: ACCESS CONTROL

Priority: P0

Audit Items

View all Reference Audit Items

NamePluginAudit Name
2.16.2 - General permissions management - un-owned files and directories - 'no unowned files exist'UnixCIS AIX 5.3/6.1 L2 v1.1.0
6.1.11 Ensure no unowned files or directories existUnixCIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
6.1.11 Ensure no unowned files or directories existUnixCIS Amazon Linux v2.1.0 L1
6.1.11 Ensure no unowned files or directories existUnixCIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
6.1.12 Ensure no ungrouped files or directories existUnixCIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
6.1.12 Ensure no ungrouped files or directories existUnixCIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
6.1.12 Ensure no ungrouped files or directories existUnixCIS Amazon Linux v2.1.0 L1
6.7 Find 'Unowned' Files and DirectoriesUnixCIS FreeBSD v1.0.5
6.7 Find All Unowned FilesUnixCIS Solaris 9 v1.3
9.17 Check That Reserved UIDs Are Assigned to System AccountsUnixCIS Solaris 11.1 L1 v1.0.0
9.17 Check That Reserved UIDs Are Assigned to System AccountsUnixCIS Solaris 11 L1 v1.1.0
9.17 Check That Reserved UIDs Are Assigned to System AccountsUnixCIS Solaris 10 L1 v5.2
9.23 Find Un-owned Files and DirectoriesUnixCIS Solaris 11.2 L1 v1.1.0
9.24 Find Un-owned Files and DirectoriesUnixCIS Solaris 10 L1 v5.2
9.24 Find Un-owned Files and DirectoriesUnixCIS Solaris 11 L1 v1.1.0
9.24 Find Un-owned Files and DirectoriesUnixCIS Solaris 11.1 L1 v1.0.0
12.8 Find Un-owned Files and DirectoriesUnixCIS Debian Linux 7 L1 v1.0.0
12.8 Find Un-owned Files and DirectoriesUnixCIS Ubuntu 12.04 LTS Benchmark L1 v1.1.0
12.9 Find Un-grouped Files and DirectoriesUnixCIS Ubuntu 12.04 LTS Benchmark L1 v1.1.0
12.9 Find Un-grouped Files and DirectoriesUnixCIS Debian Linux 7 L1 v1.0.0
Ensure no ungrouped files or directories existUnixTenable Cisco Firepower Management Center OS Best Practices Audit
SHPT-00-000010 - SharePoint must maintain and support the use of organizationally defined security attributes to stored information - Document Library'WindowsDISA STIG SharePoint 2010 v1r9
SHPT-00-000010 - SharePoint must maintain and support the use of organizationally defined security attributes to stored information.WindowsDISA STIG SharePoint 2010 v1r9
SHPT-00-000040 - SharePoint must allow authorized users to associate security attributes with information.WindowsDISA STIG SharePoint 2010 v1r9
SQL2-00-000900 - SQL Server must allow authorized users to associate security labels to information in the database.MS_SQLDBDISA STIG SQL Server 2012 Database Audit v1r20