The fourth Practice required to be implemented under CMMC V1.0 within your information security plans, also falls under the Capability, Limit data access to authorized users and processes (C004).  This Practice is titled, Control Information Posted or Processed on Publicly Accessible Information Systems (and is found on Pg 52 of the Appendix B PDF or B-14). So, what exactly does this Practice involve? In the discussion section of this Practice within the CMMC Appendix B, you find:   In accordance with laws, executive orders, directives, policies, regulations, or standards, the public is not authorized access to non-public information ( e.g. Information protected under the privacy act, Controlled Unclassified Information – CUI, and proprietary information). this requirement addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. individuals authorized to post CUI onto publicly accessible systems are designated. The content of information is reviewed prior to posting onto publicly accessible systems to ensure that non-public information is not included.

The clarification statement provides this guidance to a company:  Do not allow sensitive information, including Federal Contract Information ( FCI ), which may include CUI, to become public. It is important to know which users/employees are allowed to publish information on publicly accessible systems, like your company website.  Limit and control information that is posted on your company’s website that can be accessed by the public.

The example provided for this Practice: You are head of marketing for your company and want to become better known by your customers. So, you decide to start issuing press releases about your company projects. Your company gets FCI from doing work for the federal government. FCI is information that is not shared publicly. Because you recognize the need to control sensitive information, including FCI, you carefully review all information before posting it on the company website or releasing to the public. You allow only certain employees to post to the website.

Though a company policy for this Practice is not required for Level 1 compliance, this could be one of those Practices you would want to include in a company policy. As the example shows above, sometimes a company may wish to provide information on a public facing website or a social media platform to illustrate the type of work the company can do within the Federal contracting system.  In doing so, though, a company may violate this Practice by placing information obtained during the fulfillment of the DoD contract (FCI) that one may think is OK to post, though based on this practice, it is not.  New employees or those companies new to Federal contracting may be particularly vulnerable to violating this practice inadvertently.  Having someone that is familiar with this practice, and experienced with Federal contracting work, review posts to public facing websites, social media platforms on in public service announcements can help a company stay in compliance with this Practice.

Next, we will move into the Practices for Level 1 compliance and included within the second Domain, Identification and Authentication.

By Mark R. Lupo, MBCP, SMP