Organizations frequently share information through various information exchange channels based on mission and business needs. To protect the confidentiality, integrity, and availability of exchanged information commensurate with risk, the information being exchanged requires protection at the same or similar levels as it moves from one organization to another.
National Institute of Standards and Technology (NIST) Special Publication (SP) 800-47, Revision 1, Managing the Security of Information Exchanges, provides guidance on identifying information exchanges; risk-based considerations for protecting exchanged information before, during, and after the exchange; and example agreements for managing the protection of the exchanged information.
Rather than focus on any particular type of technology-based connection or information access, NIST said this draft publication has been updated to define the scope of information exchange. SP 800-47 Rev. 1 describes the benefits of securely managing the information exchange, identifies types of information exchanges, discusses potential security risks associated with information exchange, and details a four-phase methodology to securely manage information exchange between systems and organizations. Organizations are expected to further tailor the guidance to meet specific organizational needs and requirements, NIST advised.
The following four phases of information exchange management are addressed:
1. Planning the information exchange: The participating organizations perform preliminary activities; examine all relevant technical, security, and administrative issues; and develop an appropriate agreement to govern the management and use of the information and how it is to be exchanged, for example, via a dedicated circuit or virtual private network, database sharing, cloud- or web-based services, or simple file exchange.
2. Establishing the information exchange: The organizations develop and execute a plan for establishing the information exchange, including implementing or configuring appropriate security controls and developing and signing appropriate data agreements.
3. Maintaining the exchange and associated agreements: Organizations actively maintain the security of the information exchange after it is established and ensure that the terms of the associated agreements are met and remain relevant, including reviewing and renewing the agreements at an agreed-upon frequency.
4. Discontinuing the information exchange: Information exchange may be temporary, or at some point, the organizations may need to discontinue or modify the information exchange. Whether the exchange was temporary or long-term, the conclusion of an information exchange is conducted in a manner that avoids disrupting any other party’s system. In response to an incident or other emergency, however, organizations may decide to discontinue the information exchange immediately.
This NIST SP 800-47 Rev. 1 provides recommended steps for completing each phase with an emphasis on the security measures necessary to protect the shared data.
Also included is information for selecting and developing appropriate information exchange agreements and agreement templates. Agreements specify the responsibilities of participating organizations and the technical and security requirements for the information exchange.
A public comment period for this document is open through March 12, 2021. See the publication details for a copy of the draft publication and instructions for submitting comments using the comment template provided.
For any questions, please contact firstname.lastname@example.org.
SP 800-47 Rev. 1 (Draft) (DOI)
Comment template (xls)
Comments Due: March 12, 2021
Email Comments to: email@example.com