In Episode 18 of my NIST SP 800-53 Rev 5 Access Control series, I break down AC-21 (Information Sharing) and explain what it’s really trying to protect: restricted organizational data that gets shared outside your boundary. I walk through why you need written agreements in place before sharing with business partners—things like an MOU, MOA, or SLA—so the rules, responsibilities, and security expectations are clearly defined. The big idea is simple: don’t share restricted information unless the partner’s access authorization actually matches the information’s access and use restrictions. I also go over the types of security controls you should be thinking about when information is shared—authentication (IA controls), audit logging (so actions are tracked), and authorization/need-to-know. Then I show you how I approach assessing AC-21 during an SCA or during ongoing authorization/continuous monitoring: review the SSP, access control policy/procedures, and the actual agreements between entities, and confirm the organization defines sharing circumstances (including when user discretion is required). If the controls protecting the sharing process don’t look adequate, I’m telling you to raise the concern during the assessment.