AC.1.004 Publicly Posted Information (CMMC Level 1)

Control information posted or processed on publicly accessible information systems.

Source Discussion

In accordance with laws, Executive Orders, directives, policies, regulations, or standards, the public is not authorized to access nonpublic information (e.g., information protected under the Privacy Act, FCI, and proprietary information). This requirement addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Individuals authorized to post FCI onto publicly accessible systems are designated. The content of information is reviewed prior to posting onto publicly accessible systems to ensure that nonpublic information is not included.

CMMC Clarification

Do not allow sensitive information, including Federal Contract Information (FCI), which may include CUI, to become public. It is important to know which users/employees are allowed to publish information on publicly accessible systems, like your company website. Limit and control information that is posted on your company’s website(s) that can be accessed by the public.


Do not allow FCI to become public – always safeguard the confidentiality of FCI by controlling the posting of FCI on company-controlled websites or public forums, and the exposure of FCI in public presentations or on public displays [d]. It is important to know which users are allowed to publish information on publicly accessible systems, like your company website, and implement a review process before posting such information [a,c]. If FCI is discovered on a publicly accessible system, procedures should be in place to remove that information and alert the appropriate parties [e].


You are head of marketing for your company and want to become better known by your customers. So, you decide to start issuing press releases about your company projects. Your company gets FCI from doing work for the Federal government. FCI is information that is not shared publicly. Because you recognize the need to control sensitive information, including FCI, you carefully review all information before posting it on the company website or releasing it to the public. You allow only certain employees to post to the website.


FAR Clause 52.204-21 b.1.iv

NIST SP 800-171 Rev 1 3.1.22

NIST SP 800-53 Rev 4 AC-22

MP.1.118 Media Destruction – Sanitation (CMMC Level 1)

Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

Source Discussion

This requirement applies to all system media, digital and non-digital, subject to disposal or reuse. Examples include digital media found in workstations, network components, scanners, copiers, printers, notebook computers, and mobile devices; and non-digital media such as paper and microfilm. The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information to unauthorized individuals when such media is released for reuse or disposal.

Organizations determine the appropriate sanitization methods, recognizing that destruction may be necessary when other methods cannot be applied to the media requiring sanitization.

Organizations use discretion on the employment of sanitization techniques and procedures for media containing information that is in the public domain or publicly releasable or deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing FCI from documents, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing the words or sections from the document. NARA policy and guidance control sanitization processes for federal contract information. NIST SP 800-88 provides guidance on media sanitization.

CMMC Clarification

In this case, “media” can mean something as simple as paper, or storage devices like diskettes, disks, tapes, microfiche, thumb drives, CDs and DVDs, and even mobile phones. It is important to see what information is on these types of media. If there is Federal contract information (FCI)—information you or your company got doing work for the Federal government that is not shared publicly)—you or someone in your company should do one of two things before throwing the media away:

  • clean or purge the information, if you want to reuse the device; or
  • shred or destroy the device so it cannot be read.

See NIST Special Publication 800-88 Revision 1, Guidelines for Media Sanitization for more information.


“Media” refers to a broad range of items that store information, including paper documents, disks, tapes, digital photography, USB drives, CDs, DVDs, and mobile phones. It is important to know what information is on media so that you handle it properly. If there is FCI, you or someone in your company should either:

  • shred or destroy the device before disposal so it cannot be read [a] or
  • clean or purge the information, if you want to reuse the device [b].

See NIST Special Publication 800-88, Revision 1, Guidelines for Media Sanitization, for more information.


You are moving into a new office. As you pack for the move, you find some of your old CDs in a file cabinet. When you load the CDs into your computer drive, you see that one has information about an old project your company did for the Department of Defense (DoD). Rather than throw the CD in the trash, you make sure that it is shredded.



FAR Clause 52.204-21 b.1.vii

NIST SP 800-171 Rev 1 3.8.3



NIST SP 800-53 Rev 4 MP-6


AC.1.003 External/Remote Connections (CMMC Level 1)

Verify and control/limit connections to and use of external information systems.

Sources Discussion

External systems are systems or components of systems for which organizations typically have no direct supervision and authority over the application of security requirements and controls or the determination of the effectiveness of implemented controls on those systems. External systems include personally owned systems, components, or devices and privately-owned computing and communications devices resident in commercial or public facilities. This requirement also addresses the use of external systems for the processing, storage, or transmission of FCI, including accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational systems.

Organizations establish terms and conditions for the use of external systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum, the types of applications that can be accessed on organizational systems from external systems. If terms and conditions with the owners of external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.

This requirement recognizes that there are circumstances where individuals using external systems (e.g., contractors, coalition partners) need to access organizational systems. In those situations, organizations need confidence that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been effectively implemented can be achieved by third-party, independent assessments, attestations, or other means, depending on the assurance or confidence level required by organizations.

Note that while “external” typically refers to outside of the organization’s direct supervision and authority, that is not always the case. Regarding the protection of FCI across an organization, the organization may have systems that process FCI and others that do not. And among the systems that process FCI, there are likely access restrictions for FCI that apply between systems. Therefore, from the perspective of a given system, other systems within the organization may be considered “external to that system.

CMMC Clarification

Make sure to control and manage connections between your company network and outside networks, such as the public internet or a network that does not belong to your company. Be aware of applications that can be run by outside systems. Control and limit personal devices like laptops, tablets, and phones from accessing the company networks and information. You can also choose to limit how and when your network is connected to outside systems and/or decide that only certain employees can connect to outside systems from network resources.


Control and manage connections between your company network and outside networks. Outside networks could include the public internet, one of your own company’s networks that fall outside of your assessment boundary (e.g., an isolated lab), or a network that does not belong to your company [c,e]. Tools to accomplish include firewalls and connection allow/deny lists. External systems not controlled by your company could be running applications that are prohibited or blocked. Control and limit access to corporate networks from personally owned devices such as laptops, tablets, and phones [b,d,f]. You may choose to limit how and when your network is connected to outside systems or only allow certain employees to connect to outside systems from network resources [e].


You help manage IT for your employer. You and your coworkers are working on a big proposal, and all of you will put in extra hours over the weekend to get it done. Part of the proposal includes Federal Contract Information or FCI. FCI is information that you or your company get from doing work for the Federal government. Because FCI is not shared publicly, you remind your coworkers to use their company laptops, not personal laptops or tablets, when working on the proposal over the weekend.


FAR Clause 52.204-21 b.1.iii

NIST SP 800-171 Rev 1 3.1.20

CIS Controls v7.1 12.1, 12.4

NIST CSF v1.1 ID.AM-4, PR.AC-3


NIST SP 800-53 Rev 4 AC-20, AC- 20(1)

AC.1.002 User Access Restrictions (CMMC Level 1)

Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

Source Discussion

Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements).


CMMC Clarification

Make sure to limit users/employees to only the information systems, roles, or applications they are permitted to use and that are needed for their jobs.


Limit users to only the information systems, roles, or applications they are permitted to use and are needed for their roles and responsibilities [a]. Limit access to applications and data based on the authorized users’ role and responsibilities [b]. Common types of functions a user can be assigned are creating, read, update, and delete.


You are in charge of payroll for the company and need access to certain company financial information and systems. You work with IT to set up the system so that when users log onto the company’s network, only those employees you allow can use the payroll applications and access payroll data. Because of this good access control, your coworkers in the Shipping Department cannot access information about payroll or paychecks.



FAR Clause 52.204-21 b.1.ii

NIST SP 800-171 Rev 1 3.1.2

CIS Controls v7.1 1.4, 1.6, 5.1, 8.5, 14.6, 15.10, 16.8, 16.9, 16.11

NIST CSF v1.1 PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-3, PR.PT-4


NIST SP 800-53 Rev 4 AC-2, AC- 3, AC-17

AC.1.001 Basic Security Requirements (CMMC Level 1)

Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

Source Discussion

Access control policies (e.g., identity- or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems.

Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization.

This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses [sic] non-privileged) are addressed in requirement 3.1.2 (AC.1.002).

CMMC Clarification

Control who can use company computers and who can log on to the company network. Limit the services and devices, like printers, that can be accessed by company computers. Set up your system so that unauthorized users and devices cannot get on the company network.


Identify users, processes, and devices that are allowed to use company computers and can log on to the company network [a]. Automated updates and other automatic processes should be associated with the user who initiated (authorized) the process [b]. Limit the devices (e.g., printers) that can be accessed by company computers [c]. Set up your system so that only authorized users, processes, and devices can access the company network [d,e,f].

This practice, AC.1.001, controls system access based on user, process or device identity. AC.1.001 leverages IA.1.076, which provides a vetted and trusted identity for access control required by AC.1.001.


Example 1

You are in charge of IT for your company. You give a username and password to every employee who uses a company computer for their job. No one can use a company computer without a username and a password. You give a username and password only to those employees you know have permission to be on the system. When an employee leaves the company, you disable their username and password immediately.

Example 2

A coworker from the marketing department tells you their boss wants to buy a new multi- function printer/scanner/fax device and make it available on the company network. You explain that the company controls system and device access to the network, and will stop non-company systems and devices unless they already have permission to access the network. You work with the marketing department to grant permission to the new printer/scanner/fax device to connect to the network, then install it.


FAR Clause 52.204-21 b.1.i

NIST SP 800-171 Rev 1 3.1.1

CIS Controls v7.1 1.4, 1.6, 5.1, 14.6, 15.10, 16.8, 16.9, 16.11

NIST CSF v1.1 PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-3, PR.PT-4


NIST SP 800-53 Rev 4 AC-2, AC- 3, AC-17

AU ACSC Essential Eight

Internet Safety Day 2021

Today, Tuesday, 9 February 2021, we celebrate the 18th edition of Safer Internet Day with actions taking place right across the globe. With a theme once again of “Together for a better internet”, this day calls upon all stakeholders to join together to make the internet a safer and better place for all, and especially for children and young people. would like to share a few links to some useful content that can help you, your family, and your business.

Internet Safety 101 The Ultimate Guide for Parents

This is the ultimate, easy-to-digest guide to keeping your family safe online.

Let’s get straight to the point:

As parents, we worry about our kids and the internet. We want to keep them safe but aren’t always sure how. Where do we start?

Right here.

This Internet Safety 101 guide issimple to follow and very practical.

If you want to be clued-up and confident but are short on time, we made this for you.

You’re going to see the issues and risks and be given actionable tips for protecting your family.

Let’s dive right in.

Retrieve from –

Safer Internet Day 2021: History, Theme And Tips For Personal Online Security

The safer internet day is celebrated in February each year and this year, Feb. 9 marks the day. The day was launched in the U.K. to raise awareness about correct internet practices and reflect on the concerns around the online world such as cyberbullying and other forms of online harassment.

The day focuses on a range of topics, including consent, ownership, and data privacy, and also aims to rid the online world of malevolence of any sort and ensure the security of children and adults alike.