CCI-002182

Release information outside of the established system boundary only if organization-defined system or system components provides organization-defined controls.

Implementation Guidance

Determine if information is released outside of the system only if the receiving [AC-03(09)_ODP[01]; the outside system or system component to which to release information is defined] provides [AC-03(09)_ODP[02]; controls to be provided by the outside system or system component (defined in AC-03(09)_ODP[01]) are defined].

Validation Procedures

Examine: [SELECT FROM: Access control policy; procedures addressing access enforcement; system design documentation; system configuration settings and associated documentation; list of security and privacy safeguards provided by receiving system or system components; list of security and privacy safeguards validating appropriateness of information designated for release; system audit records; results of period assessments (inspections/tests) of the external system; information sharing agreements; memoranda of understanding; acquisitions/contractual agreements; system security plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security and privacy responsibilities; organizational personnel with responsibility for acquisitions/contractual agreements; legal counsel; system developers]. Test: [SELECT FROM: Mechanisms implementing access enforcement functions].

The controls below (if any) were marked by NIST as being related to CCI-002182.