When security attributes are not bound to data/information, enforcement of information security policies for access control and information flow control, either through organizational processes or information system functions or mechanisms is difficult.
The organization:
a. Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;
b. Ensures that the security attribute associations are made and retained with the information;
c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes.