AC-16(6)—Security and Privacy Attributes | Maintenance of Attribute Association

IL5

IL6

>Control Description

Require personnel to associate and maintain the association of ⚙organization-defined security and privacy attributes with ⚙organization-defined subjects and objects in accordance with ⚙organization-defined security and privacy policies.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

Maintaining attribute association requires individual users (as opposed to the system) to maintain associations of defined security and privacy attributes with subjects and objects.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

•What formal policies and procedures govern the implementation of AC-16(6) (Maintenance Of Attribute Association)?
•Who are the designated roles responsible for implementing, maintaining, and monitoring AC-16(6)?
•How frequently is the AC-16(6) policy reviewed and updated, and what triggers policy changes?
•What training or awareness programs ensure personnel understand their responsibilities related to AC-16(6)?

Technical Implementation:

•Describe the specific technical mechanisms or controls used to enforce AC-16(6) requirements.
•What automated tools, systems, or technologies are deployed to implement AC-16(6)?
•How is AC-16(6) integrated into your system architecture and overall security posture?
•What configuration settings, parameters, or technical specifications enforce AC-16(6) requirements?

Evidence & Documentation:

•What documentation demonstrates the complete implementation of AC-16(6)?
•What audit logs, records, reports, or monitoring data validate AC-16(6) compliance?
•Can you provide evidence of periodic reviews, assessments, or testing of AC-16(6) effectiveness?
•What artifacts would you present during a FedRAMP assessment to demonstrate AC-16(6) compliance?

Ask AI

Configure your API key to use AI features.