AC.1.004 Publicly Posted Information (CMMC Level 1)

Control information posted or processed on publicly accessible information systems.

Source Discussion

In accordance with laws, Executive Orders, directives, policies, regulations, or standards, the public is not authorized to access nonpublic information (e.g., information protected under the Privacy Act, FCI, and proprietary information). This requirement addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Individuals authorized to post FCI onto publicly accessible systems are designated. The content of information is reviewed prior to posting onto publicly accessible systems to ensure that nonpublic information is not included.

CMMC Clarification

Do not allow sensitive information, including Federal Contract Information (FCI), which may include CUI, to become public. It is important to know which users/employees are allowed to publish information on publicly accessible systems, like your company website. Limit and control information that is posted on your company’s website(s) that can be accessed by the public.

CMMC GUIDE FURTHER DISCUSSION

Do not allow FCI to become public – always safeguard the confidentiality of FCI by controlling the posting of FCI on company-controlled websites or public forums, and the exposure of FCI in public presentations or on public displays [d]. It is important to know which users are allowed to publish information on publicly accessible systems, like your company website, and implement a review process before posting such information [a,c]. If FCI is discovered on a publicly accessible system, procedures should be in place to remove that information and alert the appropriate parties [e].

Example

You are head of marketing for your company and want to become better known by your customers. So, you decide to start issuing press releases about your company projects. Your company gets FCI from doing work for the Federal government. FCI is information that is not shared publicly. Because you recognize the need to control sensitive information, including FCI, you carefully review all information before posting it on the company website or releasing it to the public. You allow only certain employees to post to the website.

References

FAR Clause 52.204-21 b.1.iv

NIST SP 800-171 Rev 1 3.1.22

NIST SP 800-53 Rev 4 AC-22

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.