AC-21: Information Sharing
Control Family:
CSF v1.1 References:
Baselines:
- Low
N/A
- Moderate
- AC-21
- High
- AC-21
Next Version:
- NIST Special Publication 800-53 Revision 5:
- AC-21: Information Sharing
Control Statement
The organization:
- Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and
- Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions.
Supplemental Guidance
This control applies to information that may be restricted in some manner (e.g., privileged medical information, contract-sensitive information, proprietary information, personally identifiable information, classified information related to special access programs or compartments) based on some formal or administrative determination. Depending on the particular information-sharing circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program/compartment.
Control Enhancements
AC-21(1): Automated Decision Support
Baseline(s):
The information system enforces information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.
AC-21(2): Information Search And Retrieval
Baseline(s):
The information system implements information search and retrieval services that enforce [Assignment: organization-defined information sharing restrictions].