03.01.22: Publicly Accessible Content
Control Familly: Access Control
SPRS: N/A
Top Ten Failed Requirement: N/A
Supporting Publications:
N/A
Referenced in: N/A
Control Type: N/A
CPCSC Level 2: 03.01.22
CMMC Level(s): N/A
Derived From: NIST SP 800-53r5
AC-22
a. Train authorized individuals to ensure that publicly accessible information does not contain CUI.
b. Review the content on publicly accessible systems for CUI and remove such information, if discovered.
Discussion:
In accordance with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including CUI.
Assessment Methods and Objectives
Examine [SELECT FROM: access control policy and procedures; procedures for publicly accessible content; list of users authorized to post publicly accessible content on organizational systems; training materials or records; records of publicly accessible information reviews; records of response to CUI discovered on public websites; system audit logs; security awareness training records; system security plan; other relevant documents or records]
Interview [SELECT FROM: personnel with responsibilities for managing publicly accessible information posted on organizational systems; personnel with information security responsibilities]
Test [SELECT FROM: mechanisms for implementing the management of publicly accessible content]
NIST SP 800-171A r3 Determining Statements Determine if:
A.03.01.22.a: authorized individuals are trained to ensure that publicly accessible information does not contain CUI.
A.03.01.22.b[01]: the content on publicly accessible systems is reviewed for CUI.
A.03.01.22.b[02]: CUI is removed from publicly accessible systems, if discovered.