NIST 800-53 REV 5 • PLANNING

PL-4(1) — Social Media and External Site/Application Usage Restrictions

Include in the rules of behavior, restrictions on: Use of social media, social networking sites, and external sites/applications; Posting organizational information on public websites; and Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Social media, social networking, and external site/application usage restrictions address rules of behavior related to the use of social media, social networking, and external sites when organizational personnel are using such sites for official duties or in the conduct of official business, when organizational information is involved in social media and social networking transactions, and when personnel access social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining non-public organizational information from social media and networking sites either directly or through inference. Non-public information includes personally identifiable information and system account information.

Practitioner Notes

Your rules of behavior should specifically address social media use and external websites/applications — what employees can share publicly, how they represent the organization online, and what information they must not post.

Example 1: Add a social media section to your AUP that prohibits: sharing proprietary or sensitive information on social media, posting photos of work areas showing screens or documents, discussing specific client projects without approval, and using personal social media accounts for company business.

Example 2: Configure Microsoft Defender for Cloud Apps or a web filtering solution to monitor and control access to social media and personal cloud storage from company devices. Block uploads to personal cloud storage (Google Drive, Dropbox) and log social media access for review if needed.