NIST 800-171 • LEVEL 2 • ACCESS CONTROL
3.1.22 — Publicly Accessible Content
Train authorized individuals to ensure that publicly accessible information does not contain CUI. Review the content on publicly accessible systems for CUI and remove such information, if discovered.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- authorized individuals are trained to ensure that publicly accessible information does not contain CUI.
- the content on publicly accessible systems is reviewed for CUI.
- CUI is removed from publicly accessible systems, if discovered.
Practitioner Notes
If your company has a website, a public SharePoint page, or posts documents publicly, you need to make sure none of that public content accidentally contains CUI. This happens more often than you'd think — someone uploads a briefing deck to the website without redacting controlled information.
Example 1: Establish a content review process where at least two people review any document before it goes on a public-facing system. Create a checklist that reviewers use to verify the content does not contain CUI markings, controlled technical data, contract numbers, or export-controlled information. Document the review in a log with reviewer names and dates.
Example 2: In Microsoft Purview, set up a Data Loss Prevention policy under Compliance Center → Data Loss Prevention → Policies → Create Policy that scans SharePoint sites designated as public-facing. Configure the rule to detect CUI markings ("CUI", "CONTROLLED", "FOUO") and block publishing of matching documents. Send an alert to the compliance officer when a match is found.