NIST 800-53 REV 5 • ACCESS CONTROL

AC-16(8)Association Techniques and Technologies

Implement {{ insert: param, ac-16.8_prm_1 }} in associating security and privacy attributes to information.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

The association of security and privacy attributes to information within systems is important for conducting automated access enforcement and flow enforcement actions. The association of such attributes to information (i.e., binding) can be accomplished with technologies and techniques that provide different levels of assurance. For example, systems can cryptographically bind attributes to information using digital signatures that support cryptographic keys protected by hardware devices (sometimes known as hardware roots of trust).

Practitioner Notes

Use standardized techniques and technologies for associating security attributes with data. Ad hoc methods create interoperability problems and are harder to audit.

Example 1: Standardize on Microsoft Information Protection (MIP) as your organization's labeling technology. All Office documents, emails, and SharePoint sites use MIP labels. This ensures consistent attribute association across the entire M365 ecosystem.

Example 2: For structured data, use XACML (eXtensible Access Control Markup Language) to define and communicate security attributes in a standard format. This enables different systems to exchange and enforce security attributes without custom integration.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management