Level 5 CMMC - CMMC Practices

SC.3.193  

Reference: CMMC 1.02

Family: SC

Level Introduced: 3

Practice:
Implement a policy restricting the publication of CUI on externally owned, publicly accessible websites (e.g., forums, LinkedIn, Facebook, Twitter).

CMMC Clarification:
Establish a defined and communicated policy to prohibit employees from posting CUI on a publicly facing website. This includes social media outlets such as Facebook, LinkedIn, and Twitter. This policy applies to business related and personal posts.

Example
You are a program manager for a contract that uses CUI. To ensure you are protecting your information correctly, you inform everyone working on the project of your existing policy that prohibits the posting of CUI on public websites. This includes any job- or industry- related forums or discussions that may reference your contract work. You include these instructions in your initial project kick-off briefing and in the briefing to any employees who join the project once it is underway. You also include a reminder in your company’s annual security training.

Define and enforce a policy that restricts employees from publishing or posting CUI on public websites such as forums and social media outlets.

Source: CMMC v1.02

Source: CMMC v1.02