CCI-002184

Release information outside of the established system boundary only if organization-defined controls are used to validate the appropriateness of the information designated for release.

Implementation Guidance

Determine if information is released outside of the system only if [AC-03(09)_ODP[03]; controls used to validate appropriateness of information to be released are defined] are used to validate the appropriateness of the information designated for release.

Validation Procedures

Examine: [SELECT FROM: Access control policy; procedures addressing access enforcement; system design documentation; system configuration settings and associated documentation; list of security and privacy safeguards provided by receiving system or system components; list of security and privacy safeguards validating appropriateness of information designated for release; system audit records; results of period assessments (inspections/tests) of the external system; information sharing agreements; memoranda of understanding; acquisitions/contractual agreements; system security plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security and privacy responsibilities; organizational personnel with responsibility for acquisitions/contractual agreements; legal counsel; system developers]. Test: [SELECT FROM: Mechanisms implementing access enforcement functions].

The controls below (if any) were marked by NIST as being related to CCI-002184.