3.1.22

Requirement

a. Train authorized individuals to ensure that publicly accessible information does not contain CUI.
b. Review the content on publicly accessible systems for CUI and remove such information, if discovered.

Discussion

In accordance with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including CUI.

NIST 800-171A r3 Assessment Guidance

Examine

[SELECT FROM: access control policy and procedures; procedures for the use of external systems; terms and conditions for the use of external systems; external systems security requirements; list of types of applications accessible from external systems; system configuration settings; system security plan; other relevant documents or records]
Interview

[SELECT FROM: mechanisms for implementing or enforcing terms, conditions, and security requirements for the use of external systems]
Test

[SELECT FROM: personnel with responsibilities for defining terms, conditions, and security requirements for the use of external systems; personnel with information security responsibilities; system administrators]

ID	Assessment Objectives
A.03.01.22.a	authorized individuals are trained to ensure that publicly accessible information does not contain CUI.
A.03.01.22.b[01]	the content on publicly accessible systems is reviewed for CUI.
A.03.01.22.b[02]	CUI is removed from publicly accessible systems, if discovered.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!