NIST 800-171 • LEVEL 2 • SECURITY ASSESSMENT AND MONITORING

3.12.5Information Exchange

Specify, document, and control the security requirements for information exchange between systems and between organizations. Information exchange agreements define the permitted data flows, applicable protections, and responsibilities for safeguarding Controlled Unclassified Information (CUI) during transfer and shared processing.

CMMC Practice Mapping

NIST 800-53 Controls

CA-3

Assessment Objectives

  • security requirements for information exchange between systems are specified and documented.
  • security requirements for information exchange between organizations are specified and documented.
  • information exchange security requirements are controlled and enforced through documented agreements and technical controls.

Practitioner Notes

Information exchange requirements define how data is allowed to move between systems and organizations, including who is responsible for protection at each boundary.

Example 1: Include encryption requirements, approved transfer methods, and incident notification timelines in a vendor data exchange agreement before sharing CUI.

Example 2: Document allowed integration paths between internal and partner systems, then enforce them with firewall rules, API allowlists, and logging at the boundary.

Related NIST 800-171 Requirements

3.12.1 Security Assessment 3.12.2 Plan of Action and Milestones 3.12.3 Continuous Monitoring 3.12.4 Develop, Document, and Periodically Update System Security Plans