AC.L1-3.1.22—Control Public Information
>Control Description
Control information posted or processed on publicly accessible information systems.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern what information can be posted on publicly accessible systems?
- •How do you review and approve content before it is published publicly?
- •Who is responsible for monitoring and controlling publicly accessible information?
- •What is your incident response process if CUI is inadvertently posted publicly?
Technical Implementation:
- •What technical controls prevent CUI from being posted to public systems?
- •How do you technically separate public-facing and internal content?
- •What DLP or content filtering tools monitor publicly posted information?
- •What technical approval workflows govern content publication?
- •What scanning or monitoring detects CUI on public systems?
Evidence & Documentation:
- •What documentation demonstrates your access control policies and procedures?
- •What access control matrices or permissions documentation can you provide?
- •What access request and approval records can you show?
- •What access review documentation demonstrates periodic reviews?
- •What audit logs demonstrate access control enforcement?
- •What screenshots or configuration exports show access control settings?
Ask AI
Configure your API key to use AI features.