myctrl.tools
Compare

AC-16(4)Association Of Attributes By Authorized Individuals

>Control Description

Provide the capability to associate organization-defined security and privacy attributes with organization-defined subjects and objects by authorized individuals (or processes acting on behalf of individuals).

>Cross-Framework Mappings

SCF

DCH-05.4
Compare

>Supplemental Guidance

Systems, in general, provide the capability for privileged users to assign security and privacy attributes to system-defined subjects (e.g., users) and objects (e.g., directories, files, and ports). Some systems provide additional capability for general users to assign security and privacy attributes to additional objects (e.g., files, emails). The association of attributes by authorized individuals is described in the design documentation.

The support provided by systems can include prompting users to select security and privacy attributes to be associated with information objects, employing automated mechanisms to categorize information with attributes based on defined policies, or ensuring that the combination of the security or privacy attributes selected is valid. Organizations consider the creation, deletion, or modification of attributes when defining auditable events.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of AC-16(4) (Association Of Attributes By Authorized Individuals)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring AC-16(4)?
  • How frequently is the AC-16(4) policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to AC-16(4)?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce AC-16(4) requirements.
  • What automated tools, systems, or technologies are deployed to implement AC-16(4)?
  • How is AC-16(4) integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce AC-16(4) requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of AC-16(4)?
  • What audit logs, records, reports, or monitoring data validate AC-16(4) compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of AC-16(4) effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate AC-16(4) compliance?

Ask AI

Configure your API key to use AI features.