CMMC Practice AC.L1-3.1.22

Control information posted or processed on publicly accessible information systems.

Monarch ISC Guidance

You must designate a person, or persons, who may post material to the company website, issue press releases, and/or communicate with the media to ensure Federal Contract Information (FCI), including CUI, are not inadvertently made public. The authorized person(s) must be fluent with the types (classifications) of data your company holds, and the handling requirements for each. Also, restrict access to website editing to only designated people and follow a change control process for logging changes. Create your policy indicating that the organization controls information posted or processed on publicly accessible information systems by assigning a user (or users) responsibility for posting that information, and then state who that person is in your security plan for level three maturity. In order to measure the effectiveness of your policy, you should review the privileges of those who can make edits to your website, and review the website content on a regular basis.

Discussion From Source

DRAFT NIST SP 800-171 R2 In accordance with laws, Executive Orders, directives, policies, regulations, or standards, the public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act, CUI, and proprietary information). This requirement addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Individuals authorized to post CUI onto publicly accessible systems are designated. The content of information is reviewed prior to posting onto publicly accessible systems to ensure that nonpublic information is not included.

References