Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
a. Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and
b. Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions.
NIST 800-53 (r4) Supplemental Guidance:
This control applies to information that may be restricted in some manner (e.g., privileged medical information, contract-sensitive information, proprietary information, personally identifiable information, classified information related to special access programs or compartments) based on some formal or administrative determination. Depending on the particular information-sharing circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program/compartment. Related control: AC-3.
References: None.
NIST 800-53 (r5) Discussion:
Information sharing applies to information that may be restricted in some manner based on some formal or administrative determination. Examples of such information include, contract-sensitive information, classified information related to special access programs or compartments, privileged information, proprietary information, and personally identifiable information. Security and privacy risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to these determinations. Depending on the circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program or compartment. Access restrictions may include non-disclosure agreements (NDA). Information flow techniques and security attributes may be used to provide automated assistance to users making sharing and collaboration decisions.
38North Guidance:
Meets Minimum Requirement:
Only allow authorized users within the FedRAMP environment to share information about the system such as a SAR, vulnerability information, performance data etc., with only authorized personnel with access to the FedRAMP environment.
This control wants to know about what controls are in place should the CSP elect to all of a sudden share information with other parties. It's not necessarily about third-party security for persistent connections. That's covered under SA-9 and some of the interconnection controls in CA. This control is not related to persistent connections rather the random sharing activities here/there or ad-hoc ones that come up.
This control would also cover what a customer can do in terms of exporting, but that's their responsibility. That would be called out in the SSP as something they need to do. No action for CSP.
Best Practice:
Only allow permitted personnel with authorized access with appropriately documented authorizations in place such as Service Level Agreement (SLA), Memorandum Of Understanding (MOU), Interconnection Security Agreement (ISA), etc. to permit information sharing.
This control is not related to third-party services, already covering external services in SA-9 and CA-3 interconnection controls.
Litmus test should be whether a decision needs to be made at every sharing occurrence. So, any third-party that's operational and has a persistent connection would be better suited to SA-9, CA-3. But if it's ad hoc sharing then AC-21 relates. It would also cover if a customer can do an export of their own data, though that would be a customer responsibility in most cases.
Unofficial FedRAMP Guidance: None.
Assessment Evidence:
Examples of SLA, MOU, ISA with external parties for what information sharing can be conducted on the FedRAMP system with their external organization.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse