This post explains how to implement FAR 52.204-21 and the CMMC 2.0 Level 1 control AC.L1-B.1.IV — controlling information posted or processed on publicly accessible information systems — with practical, step-by-step advice a small business can apply today to avoid exposing Federal Contract Information (FCI) or other sensitive data on public-facing web properties and cloud storage.
What this control requires (practical summary)
At a practical level the control requires you to ensure that information related to your federal contracts (and other sensitive but unclassified data you are responsible for) is not inadvertently posted, left discoverable, or processed on systems that are publicly accessible without proper safeguards. For small businesses this translates into: classify information, prevent public publishing of FCI, enforce approval and review workflows, and implement technical controls (access lists, server configuration, cloud ACLs, metadata removal, DLP checks) to block or detect uploads of sensitive content to public systems.
Step-by-step implementation
1) Inventory and classification (start here)
Step 1 is documentation: create a simple inventory of public-facing assets (websites, blogs, marketing pages, public S3 buckets, CDN endpoints, code repositories like GitHub pages) and classify what types of information each is permitted to host. Use a spreadsheet or lightweight CMDB: asset, owner, purpose, allowed data types (e.g., marketing-only, public product info), and a "not allowed" column (FCI, contract numbers, technical drawings). Assign an owner responsible for review and retention decisions.
2) Policy, approval workflows, and training
Formalize a short publishing policy: no FCI or contract-specific details may be published on public sites without written approval. Implement a two-step review for new public content (author -> reviewer -> publish), maintain a changelog, and require content owners to sign off. Train marketing, developers, and any staff with publish rights on what qualifies as FCI and how to remove metadata from files before publishing. Small-business example: require marketing to route any content mentioning government projects through the designated contract compliance officer before release.
3) Technical controls and examples
Apply concrete technical controls on web servers and cloud storage. Examples: block public access to buckets (AWS S3 public-block), deny sensitive paths on web servers, and strip metadata from files. Commands and snippets small businesses can use immediately: AWS public-block for a bucket:
aws s3api put-public-access-block --bucket my-bucket --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true. Nginx rule to protect internal paths:
location /internal/ { deny all; return 403; }. Use exiftool to remove embedded metadata before publishing images: exiftool -all= image.jpg. For CMS platforms (WordPress, Drupal), restrict contributor roles from publishing and use plugins that require approval before making content public.
4) Automated detection and scanning
Complement process controls with automated scanning: run a scheduled crawler to index your own domains and flag pages that contain contract numbers, SSNs, or other patterns. Implement basic DLP policies or regular expressions to scan uploads on forms and file storage (example regex for SSN: \b\d{3}-\d{2}-\d{4}\b), and set alerts for matches. Use tools like OWASP ZAP or a simple site: search to find orphaned pages. For cloud-native environments enable object-level logging (S3 server access logs, CloudTrail) and integrate with a SIEM to detect unusual public-read ACLs or recently-created public objects.
5) Remediation and change control
When a violation is found, have a documented, fast remediation workflow: take the object/page offline (remove public ACL or unpublish), preserve a copy for investigation, notify the contract officer if FCI is involved, and complete a root-cause analysis. Track remediation in your POA&M if you cannot immediately fix a gap. Implement pre-publish hooks in CI/CD pipelines that fail builds if sensitive patterns are detected (example: a GitHub Action that scans committed files for keywords or regex and blocks merges to the live branch).
Small business scenarios and real-world examples
Example 1: A marketing intern publishes a case study with a contract number and RFP excerpt. Prevention: the CMS requires review by the compliance officer before publishing, and a pre-publish scanner hunts for contract number formats and blocks the publish action. Example 2: An engineer syncs an S3 bucket to share files and leaves the bucket public. Prevention: an automated daily script checks S3 public ACLs and emails the owner if any public-read objects are found; remediation automates removing the ACL and reinstating internal sharing via signed URLs (CloudFront signed cookies) or IAM-based sharing.
Compliance tips, best practices, and technical checklist
Checklist highlights for compliance: (1) maintain an up-to-date inventory and owner list, (2) publish a concise "no FCI on public systems" policy, (3) enforce two-person review for public content, (4) enable cloud provider public-access blocks and bucket policies, (5) strip metadata from files pre-publish with exiftool or an automated pipeline, (6) implement scanning (DLP/regex) for uploads and CI/CD pre-deploy gates, (7) log and monitor public-read changes and audit monthly. Use HTTPS (TLS 1.2+), HSTS, and appropriate CSP headers on public sites to reduce other disclosure risks. Document all controls in your evidence folder for audits and CMMC self-attestation.
Risk of not implementing this control
Failing to control information on public systems risks disclosure of FCI or other sensitive data, contract non-compliance, loss of contracts, and reputational damage. For federal contracts, exposure can trigger reporting obligations under FAR, potential contract penalties, removal from future opportunities, and costly incident response. Small businesses face particular risk because a single misconfiguration (public S3 bucket, an unreviewed CMS page) can leak sensitive details widely and be indexed by search engines within hours.
Summary: Implementing AC.L1-B.1.IV is a pragmatic combination of inventory/classification, clear policies and workflows, and automated technical controls (ACLs, server rules, DLP scanning, metadata stripping) that a small business can put in place quickly. Start with an asset inventory and a "no FCI on public systems" policy, add pre-publish checks and cloud public-blocks, and automate scanning and alerting so you catch accidental exposures before they become incidents — and document everything for compliance evidence and future audits.
