myctrl.tools
Compare

SC-16Transmission Of Security And Privacy Attributes

>Control Description

Associate organization-defined security and privacy attributes with information exchanged between systems and between system components.

>Kubernetes Implementation Guidance

What This Control Means in Practice

SC-16 is about keeping organization-defined security and privacy attributes attached to information as it's exchanged (service-to-service calls, API requests, events/messages), not only inside a single component. In Kubernetes, that typically means: • Decide what your "attributes" are (e.g., data classification, tenant context, handling restrictions) • Ensure they travel with the data on the paths that matter (north-south and/or east-west) Note: Kubernetes labels/annotations can help define attributes at the workload level, but SC-16 is satisfied when attributes are associated with the information being exchanged (requests/messages), not just the workloads themselves.

Common Attributes

  • Data handling label (e.g., public, cui, restricted)
  • Tenant / mission context (e.g., tenant-id, mission-id)
  • Requester context (e.g., user/workload identity claim, role/group)
  • Privacy handling (e.g., "contains PII", permitted uses, consent flags)

Implementation Examples

Enforcement Layer: Ensures that no workload can be created without a required 'data-classification' label, preventing unauthorized or unclassified workloads from entering the system.

# Mandate security attributes via Admission Control
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-data-classification
spec:
  validationFailureAction: Enforce
  background: true
  rules:
  - name: check-labels
    match:
      any:
      - resources:
          kinds:
          - Pod
    validate:
      message: "The label 'data-classification' is required to support SC-16 attribute handling."
      pattern:
        metadata:
          labels:
            data-classification: "?*"
Source: SC-16: Security Attribute Enforcement

How to Validate

Pick one real flow (Ingress → Service A → Service B) and verify: 1. Attribute is present at the entry point (e.g., header on ingress request) 2. Attribute is present at the receiving hop (e.g., header forwarded to downstream service) 3. Attribute is consistently applied across requests (e.g., audit logs show attribute values)

>Control Enhancements(3)

SC-16(1)
SC-16(2)
SC-16(3)

>Cross-Framework Mappings

NIST CSF 2.0

via NIST CSF 2.0 Concept Crosswalk
PR.DS-02
Compare

SOC 2 TSC

C1.1
Compare

SCF

CRY-10
Compare

>Relevant Technologies

Technology-specific guidance with authoritative sources and verification commands.

Kubernetes

>Supplemental Guidance

Security and privacy attributes can be explicitly or implicitly associated with the information contained in organizational systems or system components. Attributes are abstractions that represent the basic properties or characteristics of an entity with respect to protecting information or the management of personally identifiable information. Attributes are typically associated with internal data structures, including records, buffers, and files within the system.

Security and privacy attributes are used to implement access control and information flow control policies; reflect special dissemination, management, or distribution instructions, including permitted uses of personally identifiable information; or support other aspects of the information security and privacy policies. Privacy attributes may be used independently or in conjunction with security attributes.

>Related Controls

AC-3
AC-4
AC-16

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern the implementation of transmission of security and privacy attributes?
  • How are system and communications protection requirements defined and maintained?
  • Who is responsible for configuring and maintaining the security controls specified in SC-16?

Technical Implementation:

  • How is transmission of security and privacy attributes technically implemented in your environment?
  • What systems, tools, or configurations enforce this protection requirement?
  • How do you ensure that transmission of security and privacy attributes remains effective as the system evolves?

Evidence & Documentation:

  • What documentation demonstrates the implementation of SC-16?
  • Can you provide configuration evidence or system diagrams showing this protection control?
  • What logs or monitoring data verify that this control is functioning correctly?

Ask AI

Configure your API key to use AI features.