Level 1
Description:
In accordance with laws, Executive Orders, directives, policies, regulations, or standards, the public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act, CUI, and proprietary information). This requirement addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Individuals authorized to post CUI onto publicly accessible systems are designated. The content of information is reviewed prior to posting onto publicly accessible systems to ensure that nonpublic information is not included.
Priority: Medium
Domain: ACCESS CONTROL (AC)
Services Associated with AWS:
- AWS Identity and Access Management (IAM), AWS Secrets Manager, AWS Security Hub
- AWS Identity and Access Management (IAM), AWS Security Groups, AWS Web Application Firewall (WAF)
Services Associated with Azure:
- Azure Blob Storage
- Azure App Service
- Azure Web Apps
- Azure Content Delivery Network (CDN)
- Azure API Management
- Azure Front Door
- Azure Application Gateway
- Azure Traffic Manager
- Azure Logic Apps
- Azure Functions
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
- Administrative: supporting documentation of role-based security training being performed
- Administrative: supporting documentation to demonstrate change management practices reviewed/approved the request(s)
- Administrative: documented Data Flow Diagram (DFD)
Technical: screenshot of access control settings
Possible Technology Considerations:
- Data Loss Prevention (DLP)
- Content / DNS Filtering Solution
What needs to be answered:
Are the employees authorized to post information on publicly accessible information systems trained to ensure that CUI and other non-public info is not posted? Is public information reviewed before posting? Is public information reviewed annually?
Checks for AWS
- Control Posting of CUI on Publicly Accessible Systems
Description This check ensures that the posting of Controlled Unclassified Information (CUI) on publicly accessible systems is controlled and in compliance with laws, regulations, and organizational policies. Individuals authorized to post CUI onto publicly accessible systems are designated, and the content of information is reviewed before posting to prevent the inclusion of nonpublic information. - Establish Access Controls for Publicly Accessible Systems
Description This check verifies that access controls are implemented on publicly accessible systems to prevent unauthorized access to nonpublic information. Identification and authentication mechanisms should be in place to restrict access to authorized individuals only. - Conduct Content Review Prior to Posting on Publicly Accessible Systems
Description This check confirms that a review process is established to examine the content of information before posting it on publicly accessible systems. The purpose is to ensure that nonpublic information, including CUI, is not included in the posted content.
Checks for Azure
- Control Posting of Nonpublic Information on Publicly Accessible Systems
Description: This policy check ensures that the posting of nonpublic information on publicly accessible systems is controlled and compliant with laws, regulations, and organizational policies. It verifies that authorized individuals are designated to post content and that a review process is in place to prevent the inclusion of nonpublic information. - Implement Access Controls for Publicly Accessible Systems
Description: This policy check validates that access controls are properly implemented on publicly accessible systems in Azure. It verifies the presence of identification and authentication mechanisms to restrict access only to authorized individuals and prevent unauthorized access to nonpublic information. - Enforce Content Review Before Posting on Publicly Accessible Systems
Description: This policy check ensures that a content review process is in place before posting information on publicly accessible systems. It verifies that nonpublic information, including Controlled Unclassified Information (CUI), is reviewed to prevent its inclusion in the posted content. - Implement Data Loss Prevention (DLP) Policies
Description: This policy check validates the implementation of Data Loss Prevention (DLP) policies in Azure. DLP policies help prevent the accidental or unauthorized disclosure of sensitive information by monitoring and controlling the movement of data within Azure services. - Enable Content Filtering Solution for Publicly Accessible Systems
Description: This policy check confirms that a content filtering solution is enabled for publicly accessible systems in Azure. Content filtering solutions, such as DNS filtering, help enforce security policies by controlling the access to certain websites or blocking malicious content from being accessed through these systems.
More Details: No CUI is posted on publicly accessible systems.