Date Published: January 2021
Comments Due: March 12, 2021 (public comment period is CLOSED)
Email Questions to:
sec-cert@nist.gov
Organizations frequently share information through various information exchange channels based on mission and business needs. In order to protect the confidentiality, integrity, and availability of exchanged information commensurate with risk, the information being exchanged requires protection at the same or similar levels as it moves from one organization to another.
Draft SP 800-47 Rev. 1 provides guidance on identifying information exchanges; risk-based considerations for protecting exchanged information before, during, and after the exchange; and example agreements for managing the protection of the exchanged information.
Rather than focus on any particular type of technology-based connection or information access, this draft publication has been updated to define the scope of information exchange, describe the benefits of securely managing the information exchange, identify types of information exchanges, discuss potential security risks associated with information exchange, and detail a four-phase methodology to securely manage information exchange between systems and organizations. Organizations are expected to further tailor the guidance to meet specific organizational needs and requirements.
NIST is specifically interested in feedback on:
We encourage you to submit comments using the comment template provided (if possible). For any questions, please contact sec-cert@nist.gov.
NOTE: A call for patent claims is included on page iv of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.
Assessment, Authorization and Monitoring; Planning; Risk Assessment; System and Communications Protection
Publication:
https://doi.org/10.6028/NIST.SP.800-47r1-draft
Download URL
Supplemental Material:
Comment template (xlsx)
Document History:
01/26/21: SP 800-47 Rev. 1 (Draft)
07/20/21: SP 800-47 Rev. 1 (Final)
continuous monitoring, planning, risk assessment
Laws and RegulationsFederal Information Security Modernization Act, OMB Circular A-130