Organizational Control: Information Sharing

Control ID: AC-21 Information Sharing Family: Access Control Source: NIST 800-53r4
Control: The organization:
  1. Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and
  2. Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions.
Supplemental Guidance:
This control applies to information that may be restricted in some manner (e.g.,privileged medical information, contract-sensitive information, proprietary information, personally identifiable information, classified information related to special access programs or compartments) based on some formal or administrative determination. Depending on the particular information-sharing circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program/compartment.

Related Controls: AC-3
Control Enhancements: N/A
References: N/A
Mechanisms:
Protocol Implementation Conformance Statements: N/A