Overview:
The organization:
a. Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and
b. Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions.
Supplemental Guidance:
This control applies to information that may be restricted in some manner (e.g., privileged medical information, contract-sensitive information, proprietary information, personally identifiable information, classified information related to special access programs or compartments) based on some formal or administrative determination. Depending on the particular information-sharing circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program/compartment.
Related Controls:>/b> AC-3
Action Items:
1) Ensure that network and information security requirements are addressed when working with other organizations and external systems
2) Create Data Classification Policy and ensure proper handling is addressed
Related Documents:
1) Access Control Policy
2) Data Classification Policy
3) Third Party Risk Management Policy
Additional Guidance:
Moderate FedRAMP-Defined Assignment / Selection Parameters
none
Moderate Additional FedRAMP Requirements and Guidance
none
Article ID: 50
Created: September 25, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/fedramp-information-sharing-ac-21-50.html