BRACKETOLOGY | FEDRAMP
AC-21: INFORMATION SHARING
FedRAMP Baseline Membership AC-21:
Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH
Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.
Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.
To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open
Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.
- a. Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and
- b. Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions.
Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.
There are no FedRAMP-specific requirements if this control is used for a Low Impact system.
There are no FedRAMP-specific requirements if this control is used for a Moderate Impact system.
There are no FedRAMP-specific requirements if this control is used for a High Impact system.
This control applies to information that may be restricted in some manner (e.g., privileged medical information, contract-sensitive information, proprietary information, personally identifiable information, classified information related to special access programs or compartments) based on some formal or administrative determination. Depending on the particular information-sharing circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program/compartment.
RELATED CONTROLS: AC-21
AC-21 (1) INFORMATION SHARING | AUTOMATED DECISION SUPPORT
The information system enforces information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.
Supplemental Guidance: NONE
AC-21 (2) INFORMATION SHARING | INFORMATION SEARCH AND RETRIEVAL
The information system implements information search and retrieval services that enforce [Assignment: organization-defined information sharing restrictions].
Supplemental Guidance: NONE
- NO REFERENCES