Access Control 3.1.22 (3.1.22)

Control CUI posted or processed on publicly accessible systems.

Get Full Guidance

What Is This CMMC Control?

Organizations must prevent unauthorized disclosure of CUI on any system that the public can access without authentication. This includes websites, public portals, file shares, or any internet-facing system. Before posting any content to public systems, authorized personnel must review it to ensure no CUI, proprietary information, or other protected data is included. Only designated individuals may post content to public-facing systems, and all content must be reviewed before publication.

Control Intent

Prevent unauthorized public disclosure of CUI and other protected information by controlling what information is posted to publicly accessible systems and who can post it.

Who This Control Applies To

  • Public-facing websites
  • Marketing and corporate websites
  • Customer portals without authentication
  • Public file sharing systems
  • Social media accounts controlled by the organization
  • Public-facing APIs or data feeds
  • Any system accessible without authentication that the organization controls

Not Applicable When

  • Organization has no publicly accessible systems
  • Organization does not process or store CUI
  • All public-facing systems are operated entirely by third parties with no organizational content posting capability
  • Organization only uses authenticated portals with no public access

Key Objectives

  • 1Prevent CUI from being inadvertently or intentionally disclosed on publicly accessible systems
  • 2Ensure only authorized personnel can post content to public-facing systems
  • 3Verify all content is reviewed for CUI before being made publicly accessible

Sample Self-Assessment Questions (Partial)

Does your organization operate any websites, portals, or systems that the public can access without logging in?

Do you post any content, documents, or data to public-facing websites or social media?

Implementation Approaches (High-Level)

Content Review and Approval Workflow

Establish a documented process requiring all content to be reviewed and approved by authorized personnel before posting to any publicly accessible system.

Role-Based Access Control for Publishing Tools

Restrict access to content management systems, social media accounts, and publishing tools to only designated, authorized personnel.

Automated Content Scanning and DLP

Deploy automated tools to scan content for CUI, sensitive data, or policy violations before it is posted publicly.

Separate Staging and Production Environments

Maintain separate staging environments where content is reviewed and tested before being published to production public-facing systems.

Designated Authorized Posters and Training

Formally designate individuals authorized to post content publicly and provide training on CUI identification and handling.

Monitoring and Incident Response for Public Content

Implement monitoring to detect CUI posted to public systems and establish incident response procedures for remediation.

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If no formal content review process exists, develop and document a content review and approval workflow as a priority remediation step If access to publishing tools is not restricted, implement role-based access controls and revoke unnecessary permissions immediately If CUI has been posted publicly in the past, document the incident, remediation, and preventive measures in the POA&M If no training exists for authorized posters, develop and deliver CUI awareness training specific to public posting risks If publicly accessible systems are not inventoried, complete an inventory and risk assessment as a foundational step If DLP or scanning tools are planned but not yet deployed, include implementation timeline and interim manual review procedures If staging environments do not exist, consider this a longer-term architectural improvement and document interim review controls Ensure POA&M includes specific milestones for policy creation, training delivery, technical implementation, and validation testing

Related CMMC Controls

AC.L2-3.1.1 (Authorized Access Control)AC.L2-3.1.2 (Transaction and Function Control)AT.L2-3.2.1 (Security Awareness)AT.L2-3.2.2 (Insider Threat Awareness)AU.L2-3.3.1 (System Audit Logging)IR.L2-3.6.1 (Incident Handling)MP.L2-3.8.3 (Media Disposal)SC.L2-3.13.1 (Boundary Protection)SC.L2-3.13.8 (Transmission Confidentiality)

Frequently Asked Questions

What counts as a publicly accessible system under this control?

Any system that the public can access without authentication, including websites, public portals, social media accounts, public file shares, or any internet-facing system controlled by the organization. This includes both systems you host and third-party platforms where you post content (e.g., social media, public cloud storage).

Does this control apply to our marketing website if we never post CUI there?

Yes. The control requires you to have processes in place to ensure CUI is never posted to publicly accessible systems, even if you do not currently post CUI. You must have review procedures and access controls to prevent accidental or unauthorized posting of CUI.

Who should be designated as authorized to post content publicly?

Typically, this includes marketing personnel, communications staff, web administrators, or other roles responsible for managing public-facing content. The key is that these individuals are formally designated, trained on CUI handling, and their access is controlled and documented.

What should our content review process include?

At minimum, the review process should verify that content does not contain CUI, proprietary information, personal data, or other protected information. Reviews should be documented, performed by trained personnel, and required before any content is made publicly accessible.

What if we accidentally post CUI to our public website—how does that affect our assessment?

Accidental posting of CUI is a serious incident and likely a control failure. However, if you have documented incident response procedures, promptly removed the content, investigated root cause, and implemented corrective actions, assessors may view this more favorably than having no controls at all. Document the incident and remediation in your POA&M.

Do we need technical controls like DLP, or is a manual review process sufficient?

Manual review processes are acceptable, especially for smaller organizations with limited public posting activity. However, automated controls like DLP provide stronger assurance and are recommended for organizations with frequent public posting, large volumes of content, or higher risk of CUI exposure. The control does not mandate specific technical solutions.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.