Release information outside of the system only if:
- The receiving [Assignment: organization-defined system or system component] provides [Assignment: organization-defined controls]; and
- [Assignment: organization-defined controls] are used to validate the appropriateness of the information designated for release.
Controlled release of information requires systems to implement technical or procedural means to validate the information prior to releasing it to external systems. For example, if the system passes information to a system controlled by another organization, technical means are employed to validate that the security and privacy attributes associated with the exported information are appropriate for the receiving system. Alternatively, if the system passes information to a printer in organization-controlled space, procedural means can be employed to ensure that only authorized individuals gain access to the printer.