03.01.22: Publicly Accessible Content
Referenced in: N/A
Control Type: N/A
CPCSC Level 2: 03.01.22
CMMC Level(s): N/A
Derived From: NIST SP 800-53r5
AC-22
a. Train authorized individuals to ensure that publicly accessible information does not contain CUI.
b. Review the content on publicly accessible systems for CUI and remove such information, if discovered.
Discussion:
In accordance with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including CUI.
Assessment Methods and Objectives
Examine [SELECT FROM: access control policy and procedures; procedures for publicly accessible content; list of users authorized to post publicly accessible content on organizational systems; training materials or records; records of publicly accessible information reviews; records of response to CUI discovered on public websites; system audit logs; security awareness training records; system security plan; other relevant documents or records]
Interview [SELECT FROM: personnel with responsibilities for managing publicly accessible information posted on organizational systems; personnel with information security responsibilities]
Test [SELECT FROM: mechanisms for implementing the management of publicly accessible content]
NIST SP 800-171A r3 Determining Statements Determine if:
A.03.01.22.a: authorized individuals are trained to ensure that publicly accessible information does not contain CUI.
A.03.01.22.b[01]: the content on publicly accessible systems is reviewed for CUI.
A.03.01.22.b[02]: CUI is removed from publicly accessible systems, if discovered.
The Security Requirements
NIST SP 800-171r3 (USA) & ITSP.10.171 (Canada)
3.5. Identification and Authentication
3.12. Security Assessment and Monitoring
3.13. System and Communications Protection
3.14. System and Information Integrity
3.16. System and Services Acquisition
3.17. Supply Chain Risk Management
CMMC 3.0 - N/A
CPCSC - N/A