Organizations have mission and business-based needs to exchange or share information with one or more internal or external organizations via various information exchange channels. In order to protect the confidentiality, integrity, and availability of the information commensurate with risk, the information being exchanged requires protection at the same or similar levels as it moves from one organization to another.
NIST Special Publication (SP) 800-47 Revision 1, Managing the Security of Information Exchanges, provides guidance on identifying information exchanges; considerations for protecting exchanged information before, during, and after the exchange commensurate with risk; and sample templates of the agreements needed to manage the protection of the exchanged information. Rather than focus on any particular type of technology-based connection or information access, this publication has been updated to define the scope of information exchange, describe the benefits of securely managing information exchange, identify types of information exchanges, discuss potential security risks associated with information exchange, and detail a four phase methodology to securely manage information exchange between systems and organizations. This document also recommends steps for each phase of the methodology with an emphasis on the security measures necessary to protect the shared data.