Date Published: January 2021
Comments Due:
Email Questions to:
Author(s)
Kelley Dempsey (NIST), Victoria Pillitteri (NIST), Andrew Regenscheid (NIST)
Announcement
Organizations frequently share information through various information exchange channels based on mission and business needs. In order to protect the confidentiality, integrity, and availability of exchanged information commensurate with risk, the information being exchanged requires protection at the same or similar levels as it moves from one organization to another.
Draft SP 800-47 Rev. 1 provides guidance on identifying information exchanges; risk-based considerations for protecting exchanged information before, during, and after the exchange; and example agreements for managing the protection of the exchanged information.
Rather than focus on any particular type of technology-based connection or information access, this draft publication has been updated to define the scope of information exchange, describe the benefits of securely managing the information exchange, identify types of information exchanges, discuss potential security risks associated with information exchange, and detail a four-phase methodology to securely manage information exchange between systems and organizations. Organizations are expected to further tailor the guidance to meet specific organizational needs and requirements.
NIST is specifically interested in feedback on:
- Whether the agreements addressed in the draft publication represent a comprehensive set of agreements needed to manage the security of information exchange.
- Whether the matrix provided to determine what types of agreements are needed is helpful in determining appropriate agreement types.
- Whether additional agreement types are needed, as well as examples of additional agreements.
- Additional resources to help manage the security of information exchange.
We encourage you to submit comments using the comment template provided (if possible). For any questions, please contact sec-cert@nist.gov.
NOTE: A call for patent claims is included on page iv of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.
An organization often has mission and business-based needs to exchange (share) information with one or more other internal or external organizations via various information exchange channels; however, it is recognized that the information being exchanged also requires the same or similar level of protection as it moves from one organization to another (protection commensurate with risk).
This publication focuses managing the protection of the information being exchanged or accessed before, during, and after the exchange rather than on any particular type of technology-based connection or information access or exchange method and thus provides guidance on identifying information exchanges, considerations for protecting exchanged information, and the agreement(s) needed to help manage protection of the exchanged information. Organizations are expected to tailor the guidance to meet specific organizational needs and requirements regarding the information exchange.
An organization often has mission and business-based needs to exchange (share) information with one or more other internal or external organizations via various information exchange channels; however, it is recognized that the information being exchanged also requires the same or similar level of...
See full abstract
An organization often has mission and business-based needs to exchange (share) information with one or more other internal or external organizations via various information exchange channels; however, it is recognized that the information being exchanged also requires the same or similar level of protection as it moves from one organization to another (protection commensurate with risk).
This publication focuses managing the protection of the information being exchanged or accessed before, during, and after the exchange rather than on any particular type of technology-based connection or information access or exchange method and thus provides guidance on identifying information exchanges, considerations for protecting exchanged information, and the agreement(s) needed to help manage protection of the exchanged information. Organizations are expected to tailor the guidance to meet specific organizational needs and requirements regarding the information exchange.
Hide full abstract
Keywords
agreements; connection; information exchange; information exchange agreement; interconnection; interconnection security agreement; memoranda of agreement; memoranda of understanding; nondisclosure agreement; protection requirements; risk management; service level agreement; user agreement
Control Families
Assessment, Authorization and Monitoring; Planning; Risk Assessment; System and Communications Protection
) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)
