NIST 800-53 r5 · Controls catalogue · Family AC

AC-21Information Sharing

Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ insert: param, ac-21_odp.01 }} ; and Employ {{ insert: param, ac-21_odp.02 }} to assist users in making information sharing and collaboration decisions.

Last updated: 19 May 2026 14:18 UTC

Implementations targeting this control (20)

aws-config-s3-bucket-public-read-prohibited S3 buckets prohibit public read access AWS::S3::Bucket partial protect enforce
aws-config-s3-bucket-public-write-prohibited S3 buckets prohibit public write access AWS::S3::Bucket partial protect enforce CIS §2.1.4Hub S3.8
aws-config-rds-instance-public-access-check RDS instances are not publicly accessible AWS::RDS::DBInstance partial protect enforce CIS v5 §2.2.3CIS v3 §2.3.3Hub RDS.2
aws-config-rds-snapshots-public-prohibited RDS snapshots are not publicly restorable AWS::RDS::DBSnapshot partial recover enforce
aws-config-lambda-function-public-access-prohibited Lambda function policies prohibit public invocation AWS::Lambda::Function partial protect enforce
aws-config-autoscaling-launch-config-public-ip-disabled Autoscaling Launch Config Public Ip Disabled AWS::AutoScaling::AutoScalingGroup partial protect enforce
aws-config-dms-replication-not-public Dms Replication Not Public AWS::DMS::ReplicationInstance partial recover enforce
aws-config-ebs-snapshot-public-restorable-check Ebs Snapshot Public Restorable Check AWS::EC2::Volume partial recover enforce
aws-config-ec2-instance-no-public-ip Ec2 Instance No Public Ip AWS::EC2::Instance partial protect enforce
aws-config-ec2-instances-in-vpc Ec2 Instances In Vpc AWS::EC2::Instance partial protect enforce
aws-config-elasticsearch-in-vpc-only Elasticsearch In Vpc Only AWS::OpenSearchService::Domain partial protect enforce
aws-config-emr-master-no-public-ip Emr Master No Public Ip AWS::EMR::Cluster partial protect enforce
aws-config-lambda-inside-vpc Lambda Inside Vpc AWS::Lambda::Function partial protect enforce
aws-config-opensearch-in-vpc-only Opensearch In Vpc Only AWS::OpenSearchService::Domain partial protect enforce
aws-config-redshift-cluster-public-access-check Redshift Cluster Public Access Check AWS::Redshift::Cluster partial protect enforce
aws-config-s3-account-level-public-access-blocks-periodic S3 Account Level Public Access Blocks Periodic AWS::S3::Bucket partial protect enforce CIS §2.1.4Hub S3.1
aws-config-s3-bucket-level-public-access-prohibited S3 Bucket Level Public Access Prohibited AWS::S3::Bucket partial protect enforce
aws-config-sagemaker-notebook-no-direct-internet-access Sagemaker Notebook No Direct Internet Access AWS::SageMaker::NotebookInstance partial protect enforce
aws-config-ssm-document-not-public Ssm Document Not Public AWS::SSM::Document partial protect enforce
aws-config-subnet-auto-assign-public-ip-disabled Subnet Auto Assign Public Ip Disabled AWS::EC2::Subnet partial protect enforce

ATT&CK techniques this control mitigates (5)

T1213 Data from Information Repositories Collection
T1213.001 Confluence Collection
T1213.002 Sharepoint Collection
T1213.004 Customer Relationship Management Software Collection
T1213.005 Messaging Applications Collection

Weaknesses this control addresses (6)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE	Name	CVEs	Why this control addresses it
`CWE-200`	Exposure of Sensitive Information to an Unauthorized Actor	10,259	By enforcing authorization matching prior to sharing, the control reduces the risk of exposing sensitive information to unauthorized actors.
`CWE-862`	Missing Authorization	8,796	The control provides a mechanism for authorized users to determine authorization matches, preventing sharing without proper authorization verification.
`CWE-284`	Improper Access Control	4,905	This control requires verifying that a sharing partner's access authorizations match the information's restrictions before sharing occurs.
`CWE-863`	Incorrect Authorization	3,303	It assists users in evaluating and applying correct authorization decisions when sharing information with external partners.
`CWE-285`	Improper Authorization	1,252	It mandates explicit checks to confirm the sharing partner's authorizations align with the information's access and use restrictions.
`CWE-668`	Exposure of Resource to Wrong Sphere	788	The control ensures information is not released into a security sphere where the recipient lacks matching access authorizations.

Top CVEs where this control is the strongest mitigation

CVE	Risk	CVSS	EPSS	Match
No CVEs annotated to this control yet — the per-CVE backfill is in progress.

Other controls in family AC

AC-1 AC-10 AC-11 AC-12 AC-13 AC-14 AC-15 AC-16 AC-17 AC-18 AC-19 AC-2 AC-20 AC-22 AC-23 AC-24 AC-25 AC-3 AC-4 AC-5 AC-6 AC-7 AC-8 AC-9