CMMC Practice AC.L1-3.1.20 – Control Public Information: Control information posted or processed on publicly accessible information systems.
Links to Publicly Available Resources
This guideline provides an example of Data Classification framework that defines categories for data. This article discusses a foundational component necessary to govern the posting of information: Data Classification. This document provides assessment guidance for Level 1 of the Cybersecurity Maturity Model Certification (CMMC). This article provides a comprehensive description of Data Loss Prevention (DLP). The article includes best Practices for DLP planning and preparation, and tools for automating DLP. This is an example of a policy that fulfills AC.1.1004 Control information posted or processed on publicly accessible information systems. This example IT practices document from UC Santa Cruz lays out practices for protecting restricted data. In this edition of the On Call Compliance Solutions Compliance Tip of the Week, we discuss the requirement to address systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Let’s talk about NIST 800-171 Control 3.1.22 -- Control CUI posted or processed on publicly accessible systems.
Discussion [NIST SP 800-171 R2]
In accordance with laws, Executive Orders, directives, policies, regulations, or standards, the public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act, FCI, and proprietary information). This requirement addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Individuals authorized to post FCI onto publicly accessible systems are designated. The content of information is reviewed prior to posting onto publicly accessible systems to ensure that nonpublic information is not included.
Further Discussion
Do not allow FCI to become public – always safeguard the confidentiality of FCI by controlling the posting of FCI on company-controlled websites or public forums, and the exposure of FCI in public presentations or on public displays. It is important to know which users are allowed to publish information on publicly accessible systems, like your company website, and implement a review process before posting such information. If FCI is discovered on a publicly accessible system, procedures should be in place to remove that information and alert the appropriate parties.