CMMC Practice AC.L1-3.1.22

Control information posted or processed on publicly accessible information systems.

Bold Coast Security Guidance

You must designate a person, or persons, who may post material to the company website, issue press releases, and/or communicate with the media to ensure Federal Contract Information (FCI), including CUI, are not inadvertently made public. The authorized person(s) must be fluent with the types (classifications) of data your company holds, and the handling requirements for each. Also, restrict access to website editing to only designated people and follow a change control process for logging changes. Create your policy indicating that the organization controls information posted or processed on publicly accessible information systems by assigning a user (or users) responsibility for posting that information, and then state who that person is in your security plan for level three maturity. In order to measure the effectiveness of your policy, you should review the privileges of those who can make edits to your website, and review the website content on a regular basis.
Security Catapult

Be prepared for CMMC

Our Q&A assessment tool is designed by security advisors for MSPs and DoD contractors of all sizes.

Try now for free

Understand your gaps
Security Catapult

Understand your gaps

See compliance gaps, compliance scores and proactive security tasks in a single interface.

Try now for free

Validate NIST SP 800-171
Security Catapult

Validate NIST SP 800-171

Based on your CMMC answers, we let you know where you stand on NIST.

Try now for free

Build a plan of action
Security Catapult

Build a plan of action

Track your burn down and stay on top of security needs.

Try now for free

Build your policy
Security Catapult

Build your policy

Say goodbye to maintaining a security policy. We do it for you.

Try now for free

Discussion From Source

DRAFT NIST SP 800-171 R2 In accordance with laws, Executive Orders, directives, policies, regulations, or standards, the public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act, CUI, and proprietary information). This requirement addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Individuals authorized to post CUI onto publicly accessible systems are designated. The content of information is reviewed prior to posting onto publicly accessible systems to ensure that nonpublic information is not included.

References