Level 5 CMMC - CMMC Practices

AC.1.004  

Reference: CMMC 1.02

Family: AC

Level Introduced: 1

Practice:
Control information posted or processed on publicly accessible information systems.

CMMC Clarification:
Do not allow sensitive information, including Federal Contract Information (FCI), which may include CUI, to become public. It is important to know which users/employees are allowed to publish information on publicly accessible systems, like your company website. Limit and control information that is posted on your company’s website(s) that can be accessed by the public.

Example
You are head of marketing for your company and want to become better known by your customers. So, you decide to start issuing press releases about your company projects. Your company gets FCI from doing work for the Federal government. FCI is information that is not shared publicly. Because you recognize the need to control sensitive information, including FCI, you carefully review all information before posting it on the company website or releasing to the public. You allow only certain employees to post to the website.

3.1.22

Control CUI posted or processed on publicly accessible systems.

Discussion:
In accordance with laws, Executive Orders, directives, policies, regulations, or standards, the public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act, CUI, and proprietary information). This requirement addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Individuals authorized to post CUI onto publicly accessible systems are designated. The content of information is reviewed prior to posting onto publicly accessible systems to ensure that nonpublic information is not included.

Source: NIST Special Publication 800-171 Rev. 2

AC-22

PUBLICLY ACCESSIBLE CONTENT

Description:
The organization:
    a. Designates individuals authorized to post information onto a publicly accessible information system;
    b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
    c. Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and
    d. Reviews the content on the publicly accessible information system for nonpublic information [Assignment: organization-defined frequency] and removes such information, if discovered.

Supplemental Guidance:
In accordance with federal laws, Executive Orders, directives, policies, regulations, standards, and/or guidance, the general public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act and proprietary information). This control addresses information systems that are controlled by the organization and accessible to the general public, typically without identification or authentication. The posting of information on non-organization information systems is covered by organizational policy. Related controls: AC-3, AC-4, AT-2, AT-3, AU-13.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02