NIST 800-53 REV 5 • ACCESS CONTROL

AC-16(7)Consistent Attribute Interpretation

Provide a consistent interpretation of security and privacy attributes transmitted between distributed system components.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

To enforce security and privacy policies across multiple system components in distributed systems, organizations provide a consistent interpretation of security and privacy attributes employed in access enforcement and flow enforcement decisions. Organizations can establish agreements and processes to help ensure that distributed system components implement attributes with consistent interpretations in automated access enforcement and flow enforcement actions.

Practitioner Notes

All systems that handle your data must interpret security attributes the same way. A CUI label in System A should mean the same thing in System B. Inconsistent interpretation creates gaps.

Example 1: Publish a data classification standard that defines each label, what protections it requires, and how it maps to labels in partner organizations. For example, your CUI label maps to a partner's Restricted label. Document this in your interconnection agreements.

Example 2: When integrating with external systems, configure label mapping in Microsoft Purview to translate between different labeling schemes. If a partner uses different label names, map their Confidential to your CUI so that protections apply correctly when data crosses organizational boundaries.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management