System And Communications Protection
Implement a policy restricting the publication of CUI on externally owned, publicly accessible websites (e.g., forums, LinkedIn, Facebook, Twitter).
Establish a defined and communicated policy to prohibit employees from posting CUI on a publicly facing website. This includes social media outlets such as Facebook, LinkedIn, and Twitter. This policy applies to business related and personal posts. Example You are a program manager for a contract that uses CUI. To ensure you are protecting your information correctly, you inform everyone working on the project of your existing policy that prohibits the posting of CUI on public websites. This includes any job- or industryrelated forums or discussions that may reference your contract work. You include these instructions in your initial project kick-off briefing and in the briefing to any employees who join the project once it is underway. You also include a reminder in your company’s annual security training.
CMMC Define and enforce a policy that restricts employees from publishing or posting CUI on public websites such as forums and social media outlets.
SC.3.193.[a] the organization has a security policy which restricts publishing CUI to any externally owned, publicly accessible information system;
SC.3.193.[b] the organization designates individuals authorized to post organization information onto any externally owned, publicly accessible information systems;
SC.3.193.[c] the organization trains authorized individuals to ensure that publicly accessible organization information does not contain CUI;
SC.3.193.[d] the organization conducts reviews to ensure CUI is not included in proposed content to be posted by the organization on a publicly accessible information system under its control; and
SC.3.193.[e] the organization removes CUI, if discovered, from any publicly accessible information system under its control.