NIST 800-53 REV 5 • ACCESS CONTROL
AC-21 — Information Sharing
Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ insert: param, ac-21_odp.01 }} ; and Employ {{ insert: param, ac-21_odp.02 }} to assist users in making information sharing and collaboration decisions.
Supplemental Guidance
Information sharing applies to information that may be restricted in some manner based on some formal or administrative determination. Examples of such information include, contract-sensitive information, classified information related to special access programs or compartments, privileged information, proprietary information, and personally identifiable information. Security and privacy risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to these determinations. Depending on the circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program or compartment. Access restrictions may include non-disclosure agreements (NDA). Information flow techniques and security attributes may be used to provide automated assistance to users making sharing and collaboration decisions.
Practitioner Notes
When sharing information with other organizations or individuals, you need formal processes to ensure the data is authorized for sharing and the recipient is authorized to receive it.
Example 1: Before sharing CUI with a subcontractor, verify they have a valid CMMC certification at the appropriate level. Document the sharing arrangement in a written agreement that specifies what data is shared, how it must be protected, and how it should be destroyed when no longer needed.
Example 2: In Microsoft Purview, configure External sharing settings in SharePoint Admin Center to limit sharing to specific external domains. Add your approved partner domains to the allow list. Block sharing to all other domains. This prevents users from accidentally sharing data with unauthorized recipients.