3.1.22—Access Control - Derived
Derived Requirement
>Control Description
Control CUI posted or processed on publicly accessible systems.
>Discussion
In accordance with laws, Executive Orders, directives, policies, regulations, or standards, the public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act, CUI, and proprietary information). This requirement addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Individuals authorized to post CUI onto publicly accessible systems are designated.
The content of information is reviewed prior to posting onto publicly accessible systems to ensure that nonpublic information is not included.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern control of CUI posted or processed on public systems?
- •What procedures prevent CUI from being placed on publicly accessible systems?
- •How do you train users on public system restrictions for CUI?
- •Who monitors compliance with public system usage policies?
- •What governance addresses inadvertent CUI disclosure on public systems?
Technical Implementation:
- •What technical controls prevent CUI upload to public systems?
- •How do you monitor and detect CUI on publicly accessible systems?
- •What data loss prevention (DLP) tools identify CUI movement?
- •How are public-facing systems segregated from CUI environments?
- •What controls block CUI email to public addresses?
Evidence & Documentation:
- •Can you show DLP policies preventing CUI on public systems?
- •What incident reports address CUI found on public systems?
- •What logs track attempts to move CUI to unauthorized locations?
- •Can you provide evidence of blocked CUI uploads to public sites?
- •What audit findings verify public system CUI controls?
Ask AI
Configure your API key to use AI features.