Organizations frequently share information through various information exchange channels based on mission and business needs. In order to protect the confidentiality, integrity, and availability of exchanged information commensurate with risk, the information being exchanged requires protection at the same or similar levels as it moves from one organization to another.
The National Institute of Standards and Technology (NIST) Draft SP 800-47 Rev. 1 provides guidance on identifying information exchanges; risk-based considerations for protecting exchanged information before, during, and after the exchange; and example agreements for managing the protection of the exchanged information.
Rather than focus on any particular type of technology-based connection or information access, this draft publication has been updated to define the scope of information exchange, describe the benefits of securely managing the information exchange, identify types of information exchanges, discuss potential security risks associated with information exchange, and detail a four-phase methodology to securely manage information exchange between systems and organizations.
The following four phases of information exchange management are addressed:
1. Planning the information exchange: The participating organizations perform preliminary activities; examine all relevant technical, security, and administrative issues; and develop an appropriate agreement to govern the management and use of the information and how it is to be exchanged (e.g., via a dedicated circuit or virtual private network, database sharing, cloud- or 193 web-based services, simple file exchange).
2. Establishing the information exchange: The organizations develop and execute a plan for establishing the information exchange, including implementing or configuring appropriate security controls and developing and signing appropriate agreements.
3. Maintaining the exchange and associated agreements: The organizations actively maintain the security of the information exchange after it is established and ensure that the terms of the associated agreements are met and remain relevant, including reviewing and renewing the agreements at an agreed-upon frequency.
4. Discontinuing the information exchange: Information exchange may be temporary, or at some point, the organizations may need to discontinue the information exchange. Whether the exchange was temporary or long-term, the conclusion of an information exchange is conducted in a manner that avoids disrupting any other party’s system. In response to an incident or other emergency, however, the organizations may decide to discontinue the information exchange immediately. This publication provides recommended steps for completing each phase with an emphasis on the security measures necessary to protect the shared data.
Organizations are expected to further tailor the guidance to meet specific organizational needs and requirements.
NIST is asking for feedback on:
- Whether the agreements addressed in the draft publication represent a comprehensive set of agreements needed to manage the security of information exchange.
- Whether the matrix provided to determine what types of agreements are needed is helpful in determining appropriate agreement types.
- Whether additional agreement types are needed, as well as examples of additional agreements.
- Additional resources to help manage the security of information exchange.