AC-21: Information Sharing

Control Family:

Access Control

CSF v1.1 References:

PF v1.0 References:


  • Low


  • Moderate
    • AC-21
  • High
    • AC-21

Next Version:

Control Statement

The organization:

  1. Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and
  2. Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions.

Supplemental Guidance

This control applies to information that may be restricted in some manner (e.g., privileged medical information, contract-sensitive information, proprietary information, personally identifiable information, classified information related to special access programs or compartments) based on some formal or administrative determination. Depending on the particular information-sharing circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program/compartment.

Control Enhancements

AC-21(1): Automated Decision Support


(Not part of any baseline)

The information system enforces information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.

AC-21(2): Information Search And Retrieval


(Not part of any baseline)

The information system implements information search and retrieval services that enforce [Assignment: organization-defined information sharing restrictions].