Description:
In accordance with laws, Executive Orders, directives, policies, regulations, or standards, the public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act, CUI, and proprietary information). This requirement addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Individuals authorized to post CUI onto publicly accessible systems are designated. The content of information is reviewed prior to posting onto publicly accessible systems to ensure that nonpublic information is not included.
Priority: Medium
Category: Personnel Security
Services Associated with AWS:
- AWS Identity and Access Management (IAM), AWS Secrets Manager, AWS Security Hub
- AWS Identity and Access Management (IAM), AWS Security Groups, AWS Web Application Firewall (WAF)
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
- Administrative: supporting documentation of role-based security training being performed
- Administrative: supporting documentation to demonstrate change management practices reviewed/approved the request(s)
- Administrative: documented Data Flow Diagram (DFD)
Technical: screenshot of access control settings
Possible Technology Considerations:
- Data Loss Prevention (DLP)
- Content / DNS Filtering Solution
What needs to be answered:
Are the employees authorized to post information on publicly accessible information systems trained to ensure that CUI and other non-public info is not posted? Is public information reviewed before posting? Is public information reviewed annually?
- Control Posting of CUI on Publicly Accessible Systems
Description This check ensures that the posting of Controlled Unclassified Information (CUI) on publicly accessible systems is controlled and in compliance with laws, regulations, and organizational policies. Individuals authorized to post CUI onto publicly accessible systems are designated, and the content of information is reviewed before posting to prevent the inclusion of nonpublic information. - Establish Access Controls for Publicly Accessible Systems
Description This check verifies that access controls are implemented on publicly accessible systems to prevent unauthorized access to nonpublic information. Identification and authentication mechanisms should be in place to restrict access to authorized individuals only. - Conduct Content Review Prior to Posting on Publicly Accessible Systems
Description This check confirms that a review process is established to examine the content of information before posting it on publicly accessible systems. The purpose is to ensure that nonpublic information, including CUI, is not included in the posted content.
More Details:
No CUI is posted on publicly accessible systems.