>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SC-16Transmission of Security and Privacy Attributes

IL5
IL6

>Control Description

Associate organization-defined security and privacy attributes with information exchanged between systems and between system components.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

Security and privacy attributes can be explicitly or implicitly associated with the information contained in organizational systems or system components. Attributes are abstractions that represent the basic properties or characteristics of an entity with respect to protecting information or the management of personally identifiable information. Attributes are typically associated with internal data structures, including records, buffers, and files within the system.

Security and privacy attributes are used to implement access control and information flow control policies; reflect special dissemination, management, or distribution instructions, including permitted uses of personally identifiable information; or support other aspects of the information security and privacy policies. Privacy attributes may be used independently or in conjunction with security attributes.

>Kubernetes Implementation Examples

# Mandate security attributes via Admission Control
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-data-classification
spec:
  validationFailureAction: Enforce
  background: true
  rules:
  - name: check-labels
    match:
      any:
      - resources:
          kinds:
          - Pod
    validate:
      message: "The label 'data-classification' is required for SC-16 compliance."
      pattern:
        metadata:
          labels:
            data-classification: "?*"
Source: SC-16: Security Attribute Enforcement

>Relevant Technologies

Technology-specific guidance with authoritative sources and verification commands.

Kubernetes

>Related Controls

AC-3
AC-4
AC-16

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern the implementation of transmission of security and privacy attributes?
  • How are system and communications protection requirements defined and maintained?
  • Who is responsible for configuring and maintaining the security controls specified in SC-16?

Technical Implementation:

  • How is transmission of security and privacy attributes technically implemented in your environment?
  • What systems, tools, or configurations enforce this protection requirement?
  • How do you ensure that transmission of security and privacy attributes remains effective as the system evolves?

Evidence & Documentation:

  • What documentation demonstrates the implementation of SC-16?
  • Can you provide configuration evidence or system diagrams showing this protection control?
  • What logs or monitoring data verify that this control is functioning correctly?

Ask AI

Configure your API key to use AI features.