CMMC AC.1.004 – Control Information to Public

CMMC AC.1.004 – Control Information to Public

Requirement text: AC.1.004: Control information posted or processed on publicly accessible information systems.

In accordance with laws, Executive Orders, directives, policies, regulations, or standards, the public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act, CUI, and proprietary information). This requirement addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Individuals authorized to post CUI onto publicly accessible systems are designated. The content of information is reviewed prior to posting onto publicly accessible systems to ensure that nonpublic information is not included.

Do not allow sensitive information, including Federal Contract Information (FCI), which may include CUI, to become public. It is important to know which users/employees are allowed to publish information on publicly accessible systems, like your company website. Limit and control information that is posted on your company’s website(s) that can be accessed by the public.

You are head of marketing for your company and want to become better known by your customers. So, you decide to start issuing press releases about your company projects. Your company gets FCI from doing work for the Federal government. FCI is information that is not shared publicly. Because you recognize the need to control sensitive information, including FCI, you carefully review all information before posting it on the company website or releasing to the public. You allow only certain employees to post to the website.

Get Audit Ready

How to pass? If you use cloud storage like Dropbox, OneDrive, and Google Drive, make sure that anonymous access (no password required) is not enabled and your account has a good password. Tell your employees not to share their cloud documents with anyone outside of the contract. Don’t post sensitive information onto public websites or public media.

How to fail? This requirement seems so easy, yet it is the cause of many recent headaches for the DoD. When you set up a cloud storage location, simply share it with “everyone” or use a blank password. Now everyone on the internet can view and download your files.

• FAR Clause 52.204-21 b.1.iv
• NIST SP 800-171 Rev 1 3.1.22
• NIST SP 800-53 Rev 4 AC-22

    • Related Articles

    • Access Control: SP 800-171 Security Family 3.1

      Access is the ability to make use of any system resource. Access control is the process of granting or denying requests to:       • use information,       • use information processing services, and       • enter company facilities.  System-based ...
    • CMMC AC.4.023 - Control Information Flows

      Requirement text: AC.4.023: Control information flows between security domains on connected systems. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171B (MODIFIED) Organizations employ information flow control policies and enforcement mechanisms to ...
    • CMMC Level 1 Overview - Basic Cyber Hygiene

      CMMC Level 1 l focuses on Federal Contract Information (FCI), which is defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the ...
    • System and Information Integrity: SP 800-171 Security Family 3.14

      Integrity is defined as guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. It is the assertion that data can only be accessed or modified by the authorized employees. ...
    • CMMC AC.1.001 – Limit Information System Access

      Requirement text: AC.1.001: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Access control ...