Control CUI posted or processed on publicly accessible systems
π What This Means
This control requires that any Controlled Unclassified Information (CUI) must not be posted or processed on systems that are publicly accessible. Publicly accessible systems include websites, cloud storage, or any other platforms that can be accessed by anyone on the internet. The goal is to prevent unauthorized access to sensitive information, ensuring it remains confidential and secure. For example, if your company stores CUI on a public-facing server or website, you need to move it to a secure, private system. Another example is ensuring that CUI is not accidentally shared through public links or unsecured file-sharing services.
π― Why It Matters
Leaving CUI on publicly accessible systems exposes it to significant risks, including unauthorized access, data breaches, and cyberattacks. For instance, in 2019, a defense contractor accidentally exposed sensitive military data by storing it on an unsecured cloud server, leading to potential national security risks. The financial and reputational damage from such incidents can be substantial. From the DoD/CMMC perspective, this control is critical to safeguarding national security interests and ensuring compliance with federal regulations. Failure to implement this control can result in penalties, loss of contracts, and damage to your organizationβs reputation.
β How to Implement
- Identify all cloud storage buckets, databases, and applications that might contain CUI.
- Use cloud provider tools (e.g., AWS S3 Block Public Access, Azure Storage Firewall) to restrict public access.
- Enable encryption for all CUI stored in the cloud (e.g., AWS KMS, Azure Key Vault).
- Implement access control policies to ensure only authorized users can access CUI.
- Regularly audit cloud configurations and access logs to ensure compliance.
- Use tools like CloudTrail (AWS) or Azure Monitor to track access to CUI.
- Train employees on secure cloud practices and the risks of public exposure.
π Evidence Examples
Cloud Configuration Screenshots
Access Control Policy
Access Logs
Security Assessment Report
Employee Training Records
π SSP Guidance
Use this guidance when writing the System Security Plan (SSP) narrative for this control.
How to Write the SSP Narrative
For AC.L2-3.1.22 ("Control CUI posted or processed on publicly accessible systems"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe how access to CUI systems is controlled, including the specific IAM tools, policies, and processes used. Reference your Access Control Policy and identify the systems in scope. Be specific -- name your actual products, settings, and responsible personnel.
Example SSP Narratives
"AC.L2-3.1.22 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to control cui posted or processed on publicly accessible systems. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."
"AC.L2-3.1.22 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to control cui posted or processed on publicly accessible systems. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."
"AC.L2-3.1.22 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."
System Boundary Considerations
- β’ Identify all access points to CUI systems (VPN, direct network, cloud portals)
- β’ Document which IAM system manages access (Azure AD, AWS IAM, on-prem AD)
- β’ Map user roles to system access levels
- β’ Ensure this control covers all systems within your defined CUI boundary where control cui posted or processed on publicly accessible systems applies
- β’ Document any systems where this control is not applicable and explain why
Key Documentation to Reference in SSP
- π Access Control Policy
- π IAM configuration documentation
- π Access request and approval records
- π Evidence artifacts specific to AC.L2-3.1.22
- π POA&M entry if control is not fully implemented
What the Assessor Looks For
The assessor will verify that access controls are implemented as described, test whether unauthorized users are blocked, and review access logs for evidence of enforcement.
π¬ Self-Assessment Questions
Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.
Question 1: Have you identified all systems storing or processing CUI?
Question 2: Are all CUI systems restricted from public access?
Question 3: Is encryption enabled for all CUI storage?
Question 4: Are access logs regularly monitored and audited?
Question 5: Do employees receive training on CUI handling?
β οΈ Common Mistakes (What Auditors Flag)
1. Leaving CUI in public cloud buckets
2. Failing to encrypt CUI
3. Inadequate access logs
4. No employee training
5. Ignoring hybrid environment security
π Parent Policy
This practice is governed by the Access Control Policy