800-53|AC-16

Title

SECURITY ATTRIBUTES

Description

The organization:

Supplemental

Information is represented internally within information systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions representing the basic properties or characteristics of active and passive entities with respect to safeguarding information. These attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, to cause information to flow among objects, or to change the information system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of security attributes to subjects and objects is referred to as binding and is typically inclusive of setting the attribute value and the attribute type. Security attributes when bound to data/information, enables the enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms. The content or assigned values of security attributes can directly affect the ability of individuals to access organizational information. Organizations can define the types of attributes needed for selected information systems to support missions/business functions. There is potentially a wide range of values that can be assigned to any given security attribute. Release markings could include, for example, US only, NATO, or NOFORN (not releasable to foreign nationals). By specifying permitted attribute ranges and values, organizations can ensure that the security attribute values are meaningful and relevant. The term security labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. Security labels include, for example, access authorizations, data life cycle protection (i.e., encryption and data expiration), nationality, affiliation as contractor, and classification of information in accordance with legal and compliance requirements. The term security marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. The AC-16 base control represents the requirement for user-based attribute association (marking). The enhancements to AC-16 represent additional requirements including information system-based attribute association (labeling). Types of attributes include, for example, classification level for objects and clearance (access authorization) level for subjects. An example of a value for both of these attribute types is Top Secret.

Reference Item Details

Related: AC-21,AC-3,AC-4,AC-6,AU-10,AU-2,MP-3,SC-16

Category: ACCESS CONTROL

Family: ACCESS CONTROL

Priority: P0

Audit Items

View all Reference Audit Items

NamePluginAudit Name
2.16.2 - General permissions management - un-owned files and directories - 'no unowned files exist'UnixCIS AIX 5.3/6.1 L2 v1.1.0
6.1.11 Ensure no unowned files or directories existUnixCIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
6.1.11 Ensure no unowned files or directories existUnixCIS Amazon Linux v2.1.0 L1
6.1.11 Ensure no unowned files or directories existUnixCIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
6.1.12 Ensure no ungrouped files or directories existUnixCIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
6.1.12 Ensure no ungrouped files or directories existUnixCIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
6.1.12 Ensure no ungrouped files or directories existUnixCIS Amazon Linux v2.1.0 L1
6.7 Find 'Unowned' Files and DirectoriesUnixCIS FreeBSD v1.0.5
9.17 Check That Reserved UIDs Are Assigned to System AccountsUnixCIS Solaris 11.1 L1 v1.0.0
9.17 Check That Reserved UIDs Are Assigned to System AccountsUnixCIS Solaris 11 L1 v1.1.0
9.17 Check That Reserved UIDs Are Assigned to System AccountsUnixCIS Solaris 10 L1 v5.2
9.23 Find Un-owned Files and DirectoriesUnixCIS Solaris 11.2 L1 v1.1.0
9.24 Find Un-owned Files and DirectoriesUnixCIS Solaris 10 L1 v5.2
9.24 Find Un-owned Files and DirectoriesUnixCIS Solaris 11 L1 v1.1.0
9.24 Find Un-owned Files and DirectoriesUnixCIS Solaris 11.1 L1 v1.0.0
12.8 Find Un-owned Files and DirectoriesUnixCIS Debian Linux 7 L1 v1.0.0
12.8 Find Un-owned Files and DirectoriesUnixCIS Ubuntu 12.04 LTS Benchmark L1 v1.1.0
12.9 Find Un-grouped Files and DirectoriesUnixCIS Ubuntu 12.04 LTS Benchmark L1 v1.1.0
12.9 Find Un-grouped Files and DirectoriesUnixCIS Debian Linux 7 L1 v1.0.0
Ensure no ungrouped files or directories existUnixTenable Cisco Firepower Management Center OS Best Practices Audit
MS.DEFENDER.4.2v1 - The custom policy SHOULD be applied to Exchange, OneDrive, SharePoint, Teams chat, and Devices.microsoft_azureCISA SCuBA Microsoft 365 Defender v1.5.0
MS.DEFENDER.4.3v1 - The action for the custom policy SHOULD be set to block sharing sensitive information with everyone.microsoft_azureCISA SCuBA Microsoft 365 Defender v1.5.0
MS.DEFENDER.4.5v1 - A list of apps that are restricted from accessing files protected by DLP policy SHOULD be defined.microsoft_azureCISA SCuBA Microsoft 365 Defender v1.5.0
MS.DEFENDER.4.6v1 - The custom policy SHOULD include an action to block access to sensitivemicrosoft_azureCISA SCuBA Microsoft 365 Defender v1.5.0
MS.DEFENDER.6.2v1 - Microsoft Purview Audit (Premium) logging SHALL be enabled for ALL users.microsoft_azureCISA SCuBA Microsoft 365 Defender v1.5.0
MS.DEFENDER.6.3v1 - Audit logs SHALL be maintained for at least the minimum duration dictated by OMB M-21-31.microsoft_azureCISA SCuBA Microsoft 365 Defender v1.5.0
MS.EXO.1.1v1 - Automatic forwarding to external domains SHALL be disabled.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.6.1v1 - Contact folders SHALL NOT be shared with all domains.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.6.2v1 - Calendar details SHALL NOT be shared with all domains.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.8.1v2 - A DLP solution SHALL be used.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.8.2v2 - The DLP solution SHALL protect personally identifiable information (PII) and sensitive information, as defined by the agency.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.8.3v1 - The selected DLP solution SHOULD offer services comparable to the native DLP solution offered by Microsoft.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.8.4v1 - At a minimum, the DLP solution SHALL restrict sharing credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN) via email.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.EXO.13.1v1 - Mailbox auditing SHALL be enabled.microsoft_azureCISA SCuBA Microsoft 365 Exchange Online v1.5.0
MS.POWERPLATFORM.1.1v1 - The ability to create production and sandbox environments SHALL be restricted to admins.microsoft_azureCISA SCuBA Microsoft 365 Power Platform v1.5.0
MS.POWERPLATFORM.2.1v1 - A DLP policy SHALL be created to restrict connector access in the default Power Platform environment.microsoft_azureCISA SCuBA Microsoft 365 Power Platform v1.5.0
MS.POWERPLATFORM.2.2v1 - Non-default environments SHOULD have at least one DLP policy affecting them.microsoft_azureCISA SCuBA Microsoft 365 Power Platform v1.5.0
MS.SHAREPOINT.1.1v1 - External sharing for SharePoint SHALL be limited to Existing guests or Only people in your organization.microsoft_azureCISA SCuBA Microsoft 365 SharePoint Online OneDrive v1.5.0
MS.SHAREPOINT.1.2v1 - External sharing for OneDrive SHALL be limited to Existing guests or Only people in your organization.microsoft_azureCISA SCuBA Microsoft 365 SharePoint Online OneDrive v1.5.0
MS.SHAREPOINT.1.3v1 - External sharing SHALL be restricted to approved external domains and/or users in approved security groups per interagency collaboration needs.microsoft_azureCISA SCuBA Microsoft 365 SharePoint Online OneDrive v1.5.0
MS.SHAREPOINT.1.4v1 - Guest access SHALL be limited to the email the invitation was sent to.microsoft_azureCISA SCuBA Microsoft 365 SharePoint Online OneDrive v1.5.0
MS.SHAREPOINT.2.1v1 - File and folder default sharing scope SHALL be set to Specific people (only the people the user specifies).microsoft_azureCISA SCuBA Microsoft 365 SharePoint Online OneDrive v1.5.0
MS.SHAREPOINT.2.2v1 - File and folder default sharing permissions SHALL be set to View.microsoft_azureCISA SCuBA Microsoft 365 SharePoint Online OneDrive v1.5.0
MS.SHAREPOINT.3.1v1 - Expiration days for Anyone links SHALL be set to 30 days or less.microsoft_azureCISA SCuBA Microsoft 365 SharePoint Online OneDrive v1.5.0
MS.SHAREPOINT.3.2v1 - The allowable file and folder permissions for links SHALL be set to View only.microsoft_azureCISA SCuBA Microsoft 365 SharePoint Online OneDrive v1.5.0
MS.SHAREPOINT.3.3v1 - Reauthentication days for people who use a verification code SHALL be set to 30 days or less.microsoft_azureCISA SCuBA Microsoft 365 SharePoint Online OneDrive v1.5.0
MS.TEAMS.3.1v1 - Contact with Skype users SHALL be blocked.microsoft_azureCISA SCuBA Microsoft 365 Teams v1.5.0
MS.TEAMS.6.1v1 - A DLP solution SHALL be enabled. The selected DLP solution SHOULD offer services comparable to the native DLP solution offered by Microsoft.microsoft_azureCISA SCuBA Microsoft 365 Teams v1.5.0
MS.TEAMS.6.2v1 - The DLP solution SHALL protect personally identifiable information (PII)microsoft_azureCISA SCuBA Microsoft 365 Teams v1.5.0
SHPT-00-000010 - SharePoint must maintain and support the use of organizationally defined security attributes to stored information - Document Library'WindowsDISA STIG SharePoint 2010 v1r9