Organizations frequently share information through various information exchange channels based on mission and business needs. In order to protect the confidentiality, integrity, and availability of exchanged information commensurate with risk, the information being exchanged requires protection at the same or similar levels as it moves from one organization to another.

NIST Special Publication (SP) 800-47 Revision 1, Managing the Security of Information Exchanges, provides guidance on identifying information exchanges; risk-based considerations for protecting exchanged information before, during, and after the exchange; and example agreements for managing the protection of the exchanged information.

Rather than focus on any particular type of technology-based connection or information access, this draft publication has been updated to define the scope of information exchange, describe the benefits of securely managing the information exchange, identify types of information exchanges, discuss potential security risks associated with information exchange, and detail a four-phase methodology to securely manage information exchange between systems and organizations. Organizations are expected to further tailor the guidance to meet specific organizational needs and requirements.

NIST is specifically interested in feedback on:

1. Whether the agreements addressed in the draft publication represent a comprehensive set of agreements needed to manage the security of information exchange.
2. Whether the matrix provided to determine what types of agreements are needed is helpful in determining appropriate agreement types.
3. Whether additional agreement types are needed, as well as examples of additional agreements.
4. Additional resources to help manage the security of information exchange.

A public comment period for this document is open through March 12, 2021. See the publication details for a copy of the draft publication and instructions for submitting comments using the comment template provided. For any questions, please contact sec-cert@nist.gov.

NOTE: A call for patent claims is included on page iv of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.