U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

SP 800-47 Rev. 1 (Draft)

Managing the Security of Information Exchanges

Date Published: January 2021
Comments Due: March 12, 2021 (public comment period is CLOSED)
Email Questions to: sec-cert@nist.gov

Author(s)

Kelley Dempsey (NIST), Victoria Pillitteri (NIST), Andrew Regenscheid (NIST)

Announcement

Organizations frequently share information through various information exchange channels based on mission and business needs. In order to protect the confidentiality, integrity, and availability of exchanged information commensurate with risk, the information being exchanged requires protection at the same or similar levels as it moves from one organization to another.

Draft SP 800-47 Rev. 1 provides guidance on identifying information exchanges; risk-based considerations for protecting exchanged information before, during, and after the exchange; and example agreements for managing the protection of the exchanged information.

Rather than focus on any particular type of technology-based connection or information access, this draft publication has been updated to define the scope of information exchange, describe the benefits of securely managing the information exchange, identify types of information exchanges, discuss potential security risks associated with information exchange, and detail a four-phase methodology to securely manage information exchange between systems and organizations. Organizations are expected to further tailor the guidance to meet specific organizational needs and requirements.

NIST is specifically interested in feedback on:

  1. Whether the agreements addressed in the draft publication represent a comprehensive set of agreements needed to manage the security of information exchange.
  2. Whether the matrix provided to determine what types of agreements are needed is helpful in determining appropriate agreement types.
  3. Whether additional agreement types are needed, as well as examples of additional agreements.
  4. Additional resources to help manage the security of information exchange.

We encourage you to submit comments using the comment template provided (if possible). For any questions, please contact sec-cert@nist.gov.

NOTE: A call for patent claims is included on page iv of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.

Abstract

Keywords

agreements; connection; information exchange; information exchange agreement; interconnection; interconnection security agreement; memoranda of agreement; memoranda of understanding; nondisclosure agreement; protection requirements; risk management; service level agreement; user agreement
Control Families

Assessment, Authorization and Monitoring; Planning; Risk Assessment; System and Communications Protection

Documentation

Publication:
SP 800-47 Rev. 1 (Draft) (DOI)
Local Download

Supplemental Material:
Comment template (xls)

Document History:
01/26/21: SP 800-47 Rev. 1 (Draft)