Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - AC.L2-3.1.22 – Control information posted or processed on publicly accessible information systems.
Understanding the Requirement
This control — from NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 — requires that an organization prevents Controlled Unclassified Information (CUI) from being posted or processed on any publicly accessible systems unless authorized and reviewed. Practically, it means identifying who may post publicly, defining review procedures and checklists that specifically look for CUI, conducting a pre-post review of content, monitoring public channels for accidental disclosures, and having mechanisms to remove and remediate any improper postings.
Technical Implementation
-
Define and enforce posting roles:
Create a small, named list of accounts/roles authorized to publish to each public channel (website CMS, social media, press releases). Implement least-privilege access in your CMS and social platforms so only those accounts can publish; use unique logins, MFA, and role-based permissions to prevent unauthorized posting.
-
Formal review workflow with a checklist:
Implement an approval workflow where content must be placed in a staging area and signed off by a reviewer with information security responsibility and a designated business owner (e.g., marketing + security). Use a simple checklist that explicitly asks whether CUI is present, whether contract identifiers are included, and whether the content references technical details or performance metrics.
-
Automated scanning for indicators of CUI:
Deploy lightweight content scanning on staging pages and social drafts — for example, DLP rules, pattern-matching scripts, or keyword lists for contract numbers and technical phrases. Configure the scanner to quarantine content or alert reviewers when flagged terms appear.
-
Rapid removal and remediation process:
Document and test a removal playbook: who takes down content, how quickly it must be removed, how to preserve evidence (screenshots, logs), and how to notify affected parties or the contracting officer if needed. Ensure web and social admins have authority and credentials pre-configured for emergency takedowns.
-
Logging, monitoring, and periodic review:
Keep audit logs of publishing actions, approvals, and removals. Schedule periodic reviews of public-facing content (quarterly) to verify nothing slipped through and to refine detection keywords and checklists based on incidents or contract changes.
-
Training and communications:
Provide short, role-specific training for marketing, PR, and anyone who drafts external content. Include examples of CUI, the approval workflow, and the escalation path for suspected disclosures. Keep training materials concise and readily available in the intranet.
Example in a Small or Medium Business
A 50-person engineering firm wins a federal subcontract and the marketing team prepares a press release and a technical highlights blog post. The firm enforces a policy that only two named marketing accounts can publish to the public website and social media; both require multi-factor authentication. Marketing uploads drafts to the company's CMS staging environment where an automated keyword scan looks for contract numbers, export-controlled terms, and specific technical specs. The drafts are routed to the information security lead and the contract manager, who use a short CUI checklist before approving publication. The blog post is flagged by the scanner for mentioning a project schedule detail; the team removes that detail, re-scans, and the content is approved. After publishing, the firm runs a weekly monitor that searches public pages and social posts for contract-related terms; if something is found, the removal playbook is executed, logs are captured, and the incident is reviewed to update the checklist and training.
Summary
Combining clear policies (who may post and what must be reviewed), an enforceable technical workflow (restricted publishing accounts, staging, automated scans), and an effective removal and review process ensures SMBs prevent accidental publication of CUI. Role-based controls, documented checklists, logging, and routine training create defense-in-depth: prevention through restriction, detection with automated and human review, and rapid remediation if an improper posting occurs.
