NIST 800-53 REV 5 • ACCESS CONTROL

AC-4(6)Metadata

Enforce information flow control based on {{ insert: param, ac-04.06_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Metadata is information that describes the characteristics of data. Metadata can include structural metadata describing data structures or descriptive metadata describing data content. Enforcement of allowed information flows based on metadata enables simpler and more effective flow control. Organizations consider the trustworthiness of metadata regarding data accuracy (i.e., knowledge that the metadata values are correct with respect to the data), data integrity (i.e., protecting against unauthorized changes to metadata tags), and the binding of metadata to the data payload (i.e., employing sufficiently strong binding techniques with appropriate assurance).

Practitioner Notes

Metadata — data about data, like file properties, email headers, EXIF data in photos — can leak sensitive information. This control requires you to manage metadata as information flows across boundaries.

Example 1: Before publishing any document externally, use the Document Inspector in Microsoft Office (File → Info → Check for Issues → Inspect Document) to strip hidden metadata like author names, revision history, and comments.

Example 2: On your web server, configure the response headers to strip sensitive metadata. In IIS, remove the X-Powered-By and Server headers using URL Rewrite rules. In Apache, set ServerTokens Prod and ServerSignature Off in httpd.conf.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management