| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
AC-21 |
FedRAMP_High_R4_AC-21 |
FedRAMP High AC-21 |
Access Control |
Information Sharing |
Shared |
n/a |
The organization:
a. Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and
b. Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions.
Supplemental Guidance: This control applies to information that may be restricted in some manner (e.g., privileged medical information, contract-sensitive information, proprietary information, personally identifiable information, classified information related to special access programs or compartments) based on some formal or administrative determination. Depending on the particular information-sharing circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program/compartment. Related control: AC-3.
References: None. |
link |
2 |
| FedRAMP_Moderate_R4 |
AC-21 |
FedRAMP_Moderate_R4_AC-21 |
FedRAMP Moderate AC-21 |
Access Control |
Information Sharing |
Shared |
n/a |
The organization:
a. Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and
b. Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions.
Supplemental Guidance: This control applies to information that may be restricted in some manner (e.g., privileged medical information, contract-sensitive information, proprietary information, personally identifiable information, classified information related to special access programs or compartments) based on some formal or administrative determination. Depending on the particular information-sharing circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program/compartment. Related control: AC-3.
References: None. |
link |
2 |
| hipaa |
0209.09m3Organizational.7-09.m |
hipaa-0209.09m3Organizational.7-09.m |
0209.09m3Organizational.7-09.m |
02 Endpoint Protection |
0209.09m3Organizational.7-09.m 09.06 Network Security Management |
Shared |
n/a |
File sharing is disabled on wireless-enabled devices. |
|
6 |
| hipaa |
0306.09q1Organizational.3-09.q |
hipaa-0306.09q1Organizational.3-09.q |
0306.09q1Organizational.3-09.q |
03 Portable Media Security |
0306.09q1Organizational.3-09.q 09.07 Media Handling |
Shared |
n/a |
The status and location of unencrypted covered information is maintained and monitored. |
|
6 |
| NIST_SP_800-53_R4 |
AC-21 |
NIST_SP_800-53_R4_AC-21 |
NIST SP 800-53 Rev. 4 AC-21 |
Access Control |
Information Sharing |
Shared |
n/a |
The organization:
a. Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and
b. Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions.
Supplemental Guidance: This control applies to information that may be restricted in some manner (e.g., privileged medical information, contract-sensitive information, proprietary information, personally identifiable information, classified information related to special access programs or compartments) based on some formal or administrative determination. Depending on the particular information-sharing circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program/compartment. Related control: AC-3.
References: None. |
link |
2 |
| NIST_SP_800-53_R5 |
AC-21 |
NIST_SP_800-53_R5_AC-21 |
NIST SP 800-53 Rev. 5 AC-21 |
Access Control |
Information Sharing |
Shared |
n/a |
a. Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information???s access and use restrictions for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and
b. Employ [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing and collaboration decisions. |
link |
2 |