Control information posted or processed on publicly accessible information systems.
In accordance with laws, Executive Orders, directives, policies, regulations, or standards, the public is not authorized to access nonpublic information (e.g., information protected under the Privacy Act, FCI, and proprietary information). This requirement addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Individuals authorized to post FCI onto publicly accessible systems are designated. The content of information is reviewed prior to posting onto publicly accessible systems to ensure that nonpublic information is not included.
Do not allow sensitive information, including Federal Contract Information (FCI), which may include CUI, to become public. It is important to know which users/employees are allowed to publish information on publicly accessible systems, like your company website. Limit and control information that is posted on your company’s website(s) that can be accessed by the public.
CMMC GUIDE FURTHER DISCUSSION
Do not allow FCI to become public – always safeguard the confidentiality of FCI by controlling the posting of FCI on company-controlled websites or public forums, and the exposure of FCI in public presentations or on public displays [d]. It is important to know which users are allowed to publish information on publicly accessible systems, like your company website, and implement a review process before posting such information [a,c]. If FCI is discovered on a publicly accessible system, procedures should be in place to remove that information and alert the appropriate parties [e].
You are head of marketing for your company and want to become better known by your customers. So, you decide to start issuing press releases about your company projects. Your company gets FCI from doing work for the Federal government. FCI is information that is not shared publicly. Because you recognize the need to control sensitive information, including FCI, you carefully review all information before posting it on the company website or releasing it to the public. You allow only certain employees to post to the website.
FAR Clause 52.204-21 b.1.iv
NIST SP 800-171 Rev 1 3.1.22
NIST SP 800-53 Rev 4 AC-22