This requirement is out of scope for Tanzu Application Service, and is the responsibility of the application developer. It is not required for systems operating at the FISMA moderate level.
The information system associates [Assignment: organization-defined security attributes] with information exchanged between information systems and between system components.
Security attributes can be explicitly or implicitly associated with the information contained in organizational information systems or system components.