← Controls / AC

AC-16 Automated Labeling

Access Control

Low Moderate High

Description

The information system appropriately labels information in storage, in process, and in transmission.

Supplemental Guidance

Automated labeling refers to labels employed on internal data structures (e.g., records, files) within the information system. Information labeling is accomplished in accordance with: (i) access control requirements; (ii) special dissemination, handling, or distribution instructions; or (iii) as otherwise required to enforce information system security policy.

Changes from Rev 4

Title changed from 'Security Attributes' Adds privacy to parameters Adds control text for auditing changes to attributes Adds control text and parameters for reviewing security and privacy attributes at a specified frequency Discussion includes new attributes and incorporates discussion about security attribute binding from withdrawn control AC-04(18)

Enhancements

(0) None.

MITRE ATT&CK Techniques (57)

ATT&CK v16.1

Techniques mitigated by this control, mapped via CTID.

Persistence 4 Privilege Escalation 4 Defense Evasion 14 Credential Access 13 Discovery 1 Lateral Movement 1 Collection 18 Exfiltration 9 Impact 3
Show all 57 techniques grouped by tactic

Compliance Mappings

ISO 27001:2022

A.5.13

ISO 27002:2022

5.125.13

COBIT 2019

DSS05

CSA CCM v4

DSP-04DSP-06IAM-16

CSA AICM v1

DSP-04DSP-06IAM-16

FINOS CCC

CCC-C16

ISO 42001:2023

A.7.4A.7.5

NIS2 Directive

Art. 21(2)(i)

MAS TRM

9

BSI IT-Grundschutz

ORP.4

ANSSI

Hygiene.8

FINMA Circular 2023/1

IV.D(78)IV.D(79)IV.D(80)

OSFI B-13

B-13.3.2

EU GDPR

Art.5(1)(e)Art.9(1)

EU DORA

Art.8(1)Art.8(4)

BIO2

5.125.13

FISC Security Guidelines

FISC.O9FISC.T5

LGPD + BCB 4893

LGPD.Art.11

HKMA TM-E-1

TME1.7.2

DNB Good Practice

DNB.12.3DNB.2.2DNB.6.1

SAMA CSF

3.1

NCA ECC

2-7

UAE IA

T4T9

CBB TM

TM-6TM-9

Qatar NIA

ACAM

CBUAE

CR-5

CBE CSF

CTO-2

SA JS2

JS2-6.1

CBN CSF

Part3.4

BoG CISD

CISD-V

POPIA

s26-27s28-33

IOSCO Cyber Resilience

ID-4

BCBS 239

Principle 11

BOT Cyber Resilience

Ch2.2

CMMC 2.0

AC

Common Criteria

CC Part 2 — FDP

Solvency II

DR.266-DataSecEIOPA-ICT-4.3

Lloyd's Minimum Standards

MS7.1MS8.7

HITRUST CSF v11

07.b

FDA 21 CFR Part 11

§11.10(g)

ISO 27799

5.38.2

NHS DSPT

NDG-4.4

Basel SCO60

SCO60.70

ISO 17799 (legacy)

7.2.2

COBIT 4.1 (legacy)

PO2.3DS11.6