NIST 800-53 r5 · Controls catalogue · Family AC

AC-21Information Sharing

Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ insert: param, ac-21_odp.01 }} ; and Employ {{ insert: param, ac-21_odp.02 }} to assist users in making information sharing and collaboration decisions.

Last updated: 09 May 2026 03:25 UTC

Implementations targeting this control (0)

No implementations targeting this control yet.

ATT&CK techniques this control mitigates (5)

T1213 Data from Information Repositories Collection
T1213.001 Confluence Collection
T1213.002 Sharepoint Collection
T1213.004 Customer Relationship Management Software Collection
T1213.005 Messaging Applications Collection

Weaknesses this control addresses (6)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE	Name	CVEs	Why this control addresses it
`CWE-200`	Exposure of Sensitive Information to an Unauthorized Actor	10,204	By enforcing authorization matching prior to sharing, the control reduces the risk of exposing sensitive information to unauthorized actors.
`CWE-862`	Missing Authorization	8,680	The control provides a mechanism for authorized users to determine authorization matches, preventing sharing without proper authorization verification.
`CWE-284`	Improper Access Control	4,832	This control requires verifying that a sharing partner's access authorizations match the information's restrictions before sharing occurs.
`CWE-863`	Incorrect Authorization	3,234	It assists users in evaluating and applying correct authorization decisions when sharing information with external partners.
`CWE-285`	Improper Authorization	1,230	It mandates explicit checks to confirm the sharing partner's authorizations align with the information's access and use restrictions.
`CWE-668`	Exposure of Resource to Wrong Sphere	779	The control ensures information is not released into a security sphere where the recipient lacks matching access authorizations.

Top CVEs where this control is the strongest mitigation

CVE	Risk	CVSS	EPSS	Match
No CVEs annotated to this control yet — the per-CVE backfill is in progress.

Other controls in family AC

AC-1 AC-10 AC-11 AC-12 AC-13 AC-14 AC-15 AC-16 AC-17 AC-18 AC-19 AC-2 AC-20 AC-22 AC-23 AC-24 AC-25 AC-3 AC-4 AC-5 AC-6 AC-7 AC-8 AC-9