AC 21 INFORMATION SHARING - NIST-SP-800-53-R5/NIST-SP-800-53-R5.github.io GitHub Wiki

AC-21 INFORMATION SHARING

Control:

  • a. Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for [ Assignment: organization-defined information sharing circumstances where user discretion is required ]; and
  • b. Employ [ Assignment: organization-defined automated mechanisms or manual processes ] to assist users in making information sharing and collaboration decisions.

Discussion: Information sharing applies to information that may be restricted in some manner based on some formal or administrative determination. Examples of such information include, contract-sensitive information, classified information related to special access programs or compartments, privileged information, proprietary information, and personally identifiable information. Security and privacy risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to these determinations. Depending on the circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program or compartment. Access restrictions may include non-disclosure agreements (NDA). Information flow techniques and security attributes may be used to provide automated assistance to users making sharing and collaboration decisions.

Related Controls: AC-3, AC-4, AC-16, PT-2, PT-7, RA-3, SC-15.

Control Enhancements:

  • (1) INFORMATION SHARING / AUTOMATED DECISION SUPPORT
    Employ [ Assignment: organization-defined automated mechanisms ] to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.

    Discussion: Automated mechanisms are used to enforce information sharing decisions.

    Related Controls: None.

  • (2) INFORMATION SHARING / INFORMATION SEARCH AND RETRIEVAL
    Implement information search and retrieval services that enforce [ Assignment: organization-defined information sharing restrictions ].

    Discussion: Information search and retrieval services identify information system resources relevant to an information need.

    Related Controls: None.

References: [OMB A-130], [SP 800-150], [IR 8062 ].

⚠️ **GitHub.com Fallback** ⚠️