Back to Control Explorer



Control Acronym



System And Communications Protection

CMMC Level


800-171 Control #


CMMC Description

Implement a policy restricting the publication of CUI on externally owned, publicly accessible websites (e.g., forums, LinkedIn, Facebook, Twitter).

CMMC Clarification

Establish a defined and communicated policy to prohibit employees from posting CUI on a publicly facing website. This includes social media outlets such as Facebook, LinkedIn, and Twitter. This policy applies to business related and personal posts. Example You are a program manager for a contract that uses CUI. To ensure you are protecting your information correctly, you inform everyone working on the project of your existing policy that prohibits the posting of CUI on public websites. This includes any job- or industryrelated forums or discussions that may reference your contract work. You include these instructions in your initial project kick-off briefing and in the briefing to any employees who join the project once it is underway. You also include a reminder in your company’s annual security training.

800-171 Description

800-171 Discussion


Other Source Discussion

CMMC Define and enforce a policy that restricts employees from publishing or posting CUI on public websites such as forums and social media outlets.

CIS Control References

NIST 800-53 Control Ref.

CMMC Derived


NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

SC.3.193.[a] the organization has a security policy which restricts publishing CUI to any externally owned, publicly accessible information system;

Assessment Sub-Criteria 2

SC.3.193.[b] the organization designates individuals authorized to post organization information onto any externally owned, publicly accessible information systems;

Assessment Sub-Criteria 3

SC.3.193.[c] the organization trains authorized individuals to ensure that publicly accessible organization information does not contain CUI;

Assessment Sub-Criteria 4

SC.3.193.[d] the organization conducts reviews to ensure CUI is not included in proposed content to be posted by the organization on a publicly accessible information system under its control; and

Assessment Sub-Criteria 5

SC.3.193.[e] the organization removes CUI, if discovered, from any publicly accessible information system under its control.

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15