SHPT-00-000010 - SharePoint must maintain and support the use of organizationally defined security attributes to stored information.


Security attributes are metadata representing the basic properties of an entity with respect to safeguarding information. These attributes are typically associated with internal data structures within the application and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. Some examples of application security attributes include classified, For Official Use Only (FOUO), Personally Identifiable Information (PII), and sensitive.

The term security label is often used to associate a set of security attributes with a specific information object as part of the data structure for that object (e.g., user access privileges, nationality, affiliation as contractor).

A SharePoint information management policy or a third party Information Right Management (IRM) solution must be installed to implement this requirement. Although a 3rd party solution is recommended for a more robust solution, SharePoint can natively meet this requirement through combined use of information rights policy and defined content type. Content types must be defined which bind metadata to the content in storage and in process.


To define content types and metadata, perform the following for each desired application security attribute, such as PII or FOUO, as defined by organizational requirements.

1. On the site home page, click Site Actions and then click Site Settings.
2. On the Site Settings page, in the Galleries list, click Site content types.
3. Enter a name for the content type and click OK to view the advanced properties.
4. Scroll down this page and add the columns to prompt the user to enter as metadata or properties to collect when documents of this content type are added to SharePoint.

Supportive Information

The following resource is also helpful.

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Windows.