AC.L2-3.1.22 Control Public Information

CMMC Requirement AC.L2-3.1.22 – Control Public Information: Control information posted or processed on publicly accessible information systems.

Links to Publicly Available Resources

Carnegie Mellon University Information Security Office – Guidelines for Data Classification
This guideline provides an example of Data Classification framework that defines categories for data.
CDW – 7 Steps to Effective Data Classification
This article discusses a foundational component necessary to govern the posting of information: Data Classification.
CMMC Level 1 Self-Assessment Guide
This document provides self-assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 1.
ISACA Journal Article – Data Loss Prevention: Next Steps
This article provides a comprehensive description of Data Loss Prevention (DLP). The article includes best Practices for DLP planning and preparation, and tools for automating DLP.
Texas A&M IT Policy – Access Control – Publicly Accessible Content
This is an example of a policy that fulfills AC.1.1004 Control information posted or processed on publicly accessible information systems.
University of California Santa Cruz – Protecting Electronic Restricted Data
This example IT practices document from UC Santa Cruz lays out practices for protecting restricted data.
YouTube – NIST 800-171 Control 3.1.22 — Control CUI posted or processed on publicly accessible systems
In this edition of the On Call Compliance Solutions Compliance Tip of the Week, we discuss the requirement to address systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Let’s talk about NIST 800-171 Control 3.1.22 -- Control CUI posted or processed on publicly accessible systems.

Discussion [NIST SP 800-171 R2]
In accordance with laws, Executive Orders, directives, policies, regulations, or standards, the public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act, FCI, and proprietary information). This requirement addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Individuals authorized to post FCI onto publicly accessible systems are designated. The content of information is reviewed prior to posting onto publicly accessible systems to ensure that nonpublic information is not included.

Further Discussion
Only government officials can be authorized to release CUI to the public. Do not allow CUI to become public – always safeguard the confidentiality of CUI by controlling the posting of CUI on company-controlled websites or public forums, and the exposure of CUI in public presentations or on public displays. It is important to know which users are allowed to publish information on publicly accessible systems, like your company website, and implement a review process before posting such information. If CUI is discovered on a publicly accessible system, procedures should be in place to remove that information and alert the appropriate parties.