National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

NIST Special Publication 800-53 (Rev. 4)

Security Controls and Assessment Procedures for Federal Information Systems and Organizations

AC-21 INFORMATION SHARING

Family:
AC - ACCESS CONTROL
Class:
Priority:
P2 - Implement P2 security controls after implementation of P1 controls.
Baseline Allocation:
Low Moderate High
N/A AC-21 AC-21

Control Description

The organization:

a. Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and

b. Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions.

Supplemental Guidance

This control applies to information that may be restricted in some manner (e.g., privileged medical information, contract-sensitive information, proprietary information, personally identifiable information, classified information related to special access programs or compartments) based on some formal or administrative determination. Depending on the particular information-sharing circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program/compartment.

Related to: AC-3

Control Enhancements

AC-21(1) INFORMATION SHARING | AUTOMATED DECISION SUPPORT
The information system enforces information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.
AC-21(2) INFORMATION SHARING | INFORMATION SEARCH AND RETRIEVAL
The information system implements information search and retrieval services that enforce [Assignment: organization-defined information sharing restrictions].

References

None.