NIST 800-53 REV 5 • ACCESS CONTROL
AC-22 — Publicly Accessible Content
Designate individuals authorized to make information publicly accessible; Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information; Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and Review the content on the publicly accessible system for nonpublic information {{ insert: param, ac-22_odp }} and remove such information, if discovered.
Supplemental Guidance
In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) and proprietary information. Publicly accessible content addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, publicly accessible content addresses the management of the individuals who make such information publicly accessible.
Practitioner Notes
Content published on public-facing websites and systems must be reviewed before posting to ensure it does not contain sensitive information. Once it is public, you cannot take it back.
Example 1: Create a content review workflow for your public website. Before any page goes live, it must be reviewed by the content owner and the ISSO. Use a CMS workflow (WordPress editorial review, SharePoint approval) to enforce this. No content publishes without two approvals.
Example 2: Run regular reviews of your public website using a web scraper tool to check for inadvertently exposed sensitive data — email addresses of specific employees, internal IP addresses, system names, or metadata in uploaded documents. Schedule this quarterly and remediate any findings immediately.