AC-21 Information Sharing
a. Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for ac-21_odp.01 ; and
b. Employ ac-21_odp.02 to assist users in making information sharing and collaboration decisions.
Information sharing applies to information that may be restricted in some manner based on some formal or administrative determination. Examples of such information include, contract-sensitive information, classified information related to special access programs or compartments, privileged information, proprietary information, and personally identifiable information. Security and privacy risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to these determinations. Depending on the circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program or compartment. Access restrictions may include non-disclosure agreements (NDA). Information flow techniques and security attributes may be used to provide automated assistance to users making sharing and collaboration decisions.
- OMB A-130 Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016.
- SP 800-150 Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150.
- IR 8062 Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062.
Control Enhancements 2
Related controls 7
- AC-03 Access Enforcement L M H P
- AC-04 Information Flow Enforcement L M H P
- AC-16 Security and Privacy Attributes L M H P
- PT-02 Authority to Process Personally Identifiable Information L M H P
- PT-07 Specific Categories of Personally Identifiable Information L M H P
- RA-03 Risk Assessment L M H P
- SC-15 Collaborative Computing Devices and Applications L M H P