Enforce organization-defined mandatory access control policy over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information is constrained from changing the rules governing access control.