1. Home
  2. Industrial Control Systems
  3. AC-21

AC-21: INFORMATION SHARING

TAILORED FOR INDUSTRIAL CONTROL SYSTEMS

The organization:

    • a. Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and
    • b. Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions.

SUPPLEMENTAL GUIDANCE

This control applies to information that may be restricted in some manner (e.g., privileged medical information, contract-sensitive information, proprietary information, personally identifiable information, classified information related to special access programs or compartments) based on some formal or administrative determination. Depending on the particular information-sharing circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program/compartment.

ICS SUPPLEMENTAL GUIDANCE

The organization should collaborate and share information about potential incidents on a timely basis. The DHS National Cybersecurity & Communications Integration Center (NCCIC), http://www.dhs.gov/about-national-cybersecurity-communications-integration-center serves as a centralized location where operational elements involved in cybersecurity and communications reliance are coordinated and integrated. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) http://ics-cert.us-cert.gov/ics-cert/ collaborates with international and private sector Computer Emergency Response Teams (CERTs) to share control systems-related security incidents and mitigation measures. Organizations should consider having both an unclassified and classified information sharing capability.

Rationale for adding AC-21 to low baseline: ICS systems provide essential services and control functions and are often connected to other ICS systems or business systems that can be vectors of attack. It is therefore necessary to provide a uniform defense encompassing all baselines.

CONTROL ENHANCEMENTS

AC-21 (1) INFORMATION SHARING | AUTOMATED DECISION SUPPORT

NOT SELECTED FOR THE NIST ISC CONTROL SET

The information system enforces information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.

Supplemental Guidance: NONE

AC-21 (2) INFORMATION SHARING | INFORMATION SEARCH AND RETRIEVAL

NOT SELECTED FOR THE NIST ISC CONTROL SET

The information system implements information search and retrieval services that enforce [Assignment: organization-defined information sharing restrictions].

Supplemental Guidance: NONE

REFERENCES:

  • NIST Special Publication 800-82 | GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY