AC-21 INFORMATION SHARING

Page last updated:

PCF Compliance

PCF enables compliance with this requirement by providing SAMLv2 support. An organization can implement appropriate federation using available protocols and APIs if and as needed. Information sharing by an application is the responsibility of the application deployer.


Control Description

The organization:

  1. Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and
  2. Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions.

Supplemental Guidance

This control applies to information that may be restricted in some manner (e.g., privileged medical information, contract-sensitive information, proprietary information, personally identifiable information, classified information related to special access programs or compartments) based on some formal or administrative determination. Depending on the particular information-sharing circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program/compartment.