Back to Control Explorer



Control Acronym



Access Control

CMMC Level


800-171 Control #


CMMC Description

Control information posted or processed on publicly accessible information systems.

CMMC Clarification

Do not allow sensitive information, including Federal Contract Information (FCI), which may include CUI, to become public. It is important to know which users/employees are allowed to publish information on publicly accessible systems, like your company website. Limit and control information that is posted on your company’s website(s) that can be accessed by the public. Example You are head of marketing for your company and want to become better known by your customers. So, you decide to start issuing press releases about your company projects. Your company gets FCI from doing work for the Federal government. FCI is information that is not shared publicly. Because you recognize the need to control sensitive information, including FCI, you carefully review all information before posting it on the company website or releasing to the public. You allow only certain employees to post to the website.

800-171 Description

Control CUI posted or processed on publicly accessible systems.

800-171 Discussion

In accordance with laws, Executive Orders, directives, policies, regulations, or standards, the public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act, CUI, and proprietary information). This requirement addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Individuals authorized to post CUI onto publicly accessible systems are designated. The content of information is reviewed prior to posting onto publicly accessible systems to ensure that nonpublic information is not included.

Other Source Discussion


CIS Control References

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 AC-22

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.1.22

Applicable FAR Clause

FAR Clause 52.204-21 b.1.iv

NIST CSF Control Reference

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

AC.1.004.[a] individuals authorized to post or process information on publicly accessible systems are identified;

Assessment Sub-Criteria 2

AC.1.004.[b] procedures to ensure FCI is not posted or processed on publicly accessible systems are identified;

Assessment Sub-Criteria 3

AC.1.004.[c] a review process is in place prior to posting of any content to publicly accessible systems;

Assessment Sub-Criteria 4

AC.1.004.[d] content on publicly accessible systems is reviewed to ensure that it does not include FCI; and

Assessment Sub-Criteria 5

AC.1.004.[e] mechanisms are in place to remove and address improper posting of FCI.

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15