NIST 800-53 AC-16 Mappings

Information is represented internally within systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures, such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions that represent the basic properties or characteristics of active and passive entities with respect to safeguarding information. Privacy attributes, which may be used independently or in conjunction with security attributes, represent the basic properties or characteristics of active or passive entities with respect to the management of personally identifiable information. Attributes can be either explicitly or implicitly associated with the information contained in organizational systems or system components.

Attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, cause information to flow among objects, or change the system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of attributes to subjects and objects by a system is referred to as binding and is inclusive of setting the attribute value and the attribute type. Attributes, when bound to data or information, permit the enforcement of security and privacy policies for access control and information flow control, including data retention limits, permitted uses of personally identifiable information, and identification of personal information within data objects. Such enforcement occurs through organizational processes or system functions or mechanisms. The binding techniques implemented by systems affect the strength of attribute binding to information. Binding strength and the assurance associated with binding techniques play important parts in the trust that organizations have in the information flow enforcement process. The binding techniques affect the number and degree of additional reviews required by organizations. The content or assigned values of attributes can directly affect the ability of individuals to access organizational information.

Organizations can define the types of attributes needed for systems to support missions or business functions. There are many values that can be assigned to a security attribute. By specifying the permitted attribute ranges and values, organizations ensure that attribute values are meaningful and relevant. Labeling refers to the association of attributes with the subjects and objects represented by the internal data structures within systems. This facilitates system-based enforcement of information security and privacy policies. Labels include classification of information in accordance with legal and compliance requirements (e.g., top secret, secret, confidential, controlled unclassified), information impact level; high value asset information, access authorizations, nationality; data life cycle protection (i.e., encryption and data expiration), personally identifiable information processing permissions, including individual consent to personally identifiable information processing, and contractor affiliation. A related term to labeling is marking. Marking refers to the association of attributes with objects in a human-readable form and displayed on system media. Marking enables manual, procedural, or process-based enforcement of information security and privacy policies. Security and privacy labels may have the same value as media markings (e.g., top secret, secret, confidential). See MP-03 (Media Marking).

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-16 Security and Privacy Attributes Protects T1003 OS Credential Dumping
AC-16 Security and Privacy Attributes Protects T1003.003 NTDS
AC-16 Security and Privacy Attributes Protects T1005 Data from Local System
AC-16 Security and Privacy Attributes Protects T1020.001 Traffic Duplication
AC-16 Security and Privacy Attributes Protects T1025 Data from Removable Media
AC-16 Security and Privacy Attributes Protects T1040 Network Sniffing
AC-16 Security and Privacy Attributes Protects T1041 Exfiltration Over C2 Channel
AC-16 Security and Privacy Attributes Protects T1048 Exfiltration Over Alternative Protocol
AC-16 Security and Privacy Attributes Protects T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
AC-16 Security and Privacy Attributes Protects T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
AC-16 Security and Privacy Attributes Protects T1052 Exfiltration Over Physical Medium
AC-16 Security and Privacy Attributes Protects T1052.001 Exfiltration over USB
AC-16 Security and Privacy Attributes Protects T1070 Indicator Removal on Host
AC-16 Security and Privacy Attributes Protects T1070.001 Clear Windows Event Logs
AC-16 Security and Privacy Attributes Protects T1070.002 Clear Linux or Mac System Logs
AC-16 Security and Privacy Attributes Protects T1114 Email Collection
AC-16 Security and Privacy Attributes Protects T1114.001 Local Email Collection
AC-16 Security and Privacy Attributes Protects T1114.002 Remote Email Collection
AC-16 Security and Privacy Attributes Protects T1114.003 Email Forwarding Rule
AC-16 Security and Privacy Attributes Protects T1119 Automated Collection
AC-16 Security and Privacy Attributes Protects T1213 Data from Information Repositories
AC-16 Security and Privacy Attributes Protects T1213.001 Confluence
AC-16 Security and Privacy Attributes Protects T1213.002 Sharepoint
AC-16 Security and Privacy Attributes Protects T1222 File and Directory Permissions Modification
AC-16 Security and Privacy Attributes Protects T1222.001 Windows File and Directory Permissions Modification
AC-16 Security and Privacy Attributes Protects T1222.002 Linux and Mac File and Directory Permissions Modification
AC-16 Security and Privacy Attributes Protects T1505 Server Software Component
AC-16 Security and Privacy Attributes Protects T1505.002 Transport Agent
AC-16 Security and Privacy Attributes Protects T1530 Data from Cloud Storage Object
AC-16 Security and Privacy Attributes Protects T1537 Transfer Data to Cloud Account
AC-16 Security and Privacy Attributes Protects T1547.007 Re-opened Applications
AC-16 Security and Privacy Attributes Protects T1547.011 Plist Modification
AC-16 Security and Privacy Attributes Protects T1548 Abuse Elevation Control Mechanism
AC-16 Security and Privacy Attributes Protects T1548.003 Sudo and Sudo Caching
AC-16 Security and Privacy Attributes Protects T1550.001 Application Access Token
AC-16 Security and Privacy Attributes Protects T1552 Unsecured Credentials
AC-16 Security and Privacy Attributes Protects T1552.004 Private Keys
AC-16 Security and Privacy Attributes Protects T1552.005 Cloud Instance Metadata API
AC-16 Security and Privacy Attributes Protects T1557 Adversary-in-the-Middle
AC-16 Security and Privacy Attributes Protects T1557.002 ARP Cache Poisoning
AC-16 Security and Privacy Attributes Protects T1558 Steal or Forge Kerberos Tickets
AC-16 Security and Privacy Attributes Protects T1558.002 Silver Ticket
AC-16 Security and Privacy Attributes Protects T1558.003 Kerberoasting
AC-16 Security and Privacy Attributes Protects T1558.004 AS-REP Roasting
AC-16 Security and Privacy Attributes Protects T1564.004 NTFS File Attributes
AC-16 Security and Privacy Attributes Protects T1565 Data Manipulation
AC-16 Security and Privacy Attributes Protects T1565.001 Stored Data Manipulation
AC-16 Security and Privacy Attributes Protects T1565.002 Transmitted Data Manipulation
AC-16 Security and Privacy Attributes Protects T1567 Exfiltration Over Web Service
AC-16 Security and Privacy Attributes Protects T1602 Data from Configuration Repository
AC-16 Security and Privacy Attributes Protects T1602.001 SNMP (MIB Dump)
AC-16 Security and Privacy Attributes Protects T1602.002 Network Device Configuration Dump