NIST 800-53 REV 5 • ACCESS CONTROL

AC-21(1)Automated Decision Support

Employ {{ insert: param, ac-21.01_odp }} to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Automated mechanisms are used to enforce information sharing decisions.

Practitioner Notes

Use automated tools to help users make good sharing decisions. The system should warn or block when someone is about to share data inappropriately.

Example 1: Configure Microsoft Purview DLP policy tips in Outlook and Teams. When a user tries to share content matching a CUI pattern with an external recipient, a policy tip appears: "This content appears to contain CUI. Verify the recipient is authorized before sending." The user must acknowledge the warning or the message is blocked.

Example 2: In SharePoint, enable Sensitivity label recommendations so that when a user uploads a document containing sensitive content, the system suggests the appropriate sensitivity label and associated sharing restrictions. This nudges users toward correct behavior.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management