Device Class 2: Information Sharing

Control ID: AC-21 Information Sharing	Family: Access Control	Source: NIST 800-53r4
Control: The organization: Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions.
Supplemental Guidance: This control applies to information that may be restricted in some manner (e.g.,privileged medical information, contract-sensitive information, proprietary information, personally identifiable information, classified information related to special access programs or compartments) based on some formal or administrative determination. Depending on the particular information-sharing circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program/compartment. In the case of C-ITS, this control applies to device design and related information developed during the development phase of a device's life cycle. Related Controls: AC-3
Control Enhancements: N/A
References: N/A
Mechanisms: The organization shall go through a process of classifying all sensitive data that it stores. Based on data classifications, an administrative process will determine sensitivity levels of various data types. Following this process an authorization matrix will be generated and implemented to determine which type of data can be shared with which type of user. Organizations should maintain the principle of least privilege on sensitive data and only permit the minimum amount of data to be shared among users necessary to perform their normal job functions.
Protocol Implementation Conformance Statements: N/A