CCI-000098

Enable authorized users to determine whether access authorizations assigned to the sharing partner match the information's access and use restrictions for organization-defined information sharing circumstances where user discretion is required.

Implementation Guidance

Determine if authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the information's access and use restrictions for [AC-21_ODP[01]; information-sharing circumstances where user discretion is required to determine whether access authorizations assigned to a sharing partner match the information's access and use restrictions are defined].

Validation Procedures

Examine: [SELECT FROM: Access control policy; procedures addressing user-based collaboration and information sharing (including restrictions); system design documentation; system configuration settings and associated documentation; list of users authorized to make information-sharing/collaboration decisions; list of information-sharing circumstances requiring user discretion; non-disclosure agreements; acquisitions/contractual agreements; system security plan; privacy plan; privacy impact assessment; security and privacy risk assessments; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel responsible for information-sharing/collaboration decisions; organizational personnel with responsibility for acquisitions/contractual agreements; system/network administrators; organizational personnel with information security and privacy responsibilities]. Test: [SELECT FROM: Automated mechanisms or manual process implementing access authorizations supporting information-sharing/user collaboration decisions].

The controls below (if any) were marked by NIST as being related to CCI-000098.