AC.L2-3.1.22 Control Public Information | CMMC Level 2
Public information systems are often targets for unauthorized access and data exposure. AC.L2-3.1.22 requires you to govern what information gets posted or processed on publicly accessible systems—preventing accidental disclosure of controlled unclassified information (CUI). This control is foundational for any organization handling sensitive data in hybrid or cloud environments.
What this means
This control ensures that only approved, non-sensitive information is posted or processed on systems accessible to the public internet. You must implement policies and technical controls to prevent CUI, proprietary data, or regulated information from being stored, cached, or transmitted through public-facing systems. This includes web servers, public cloud storage, content management systems, and any system reachable without authentication.
How to comply
- 1.Classify all information assets and identify what is safe for public systems vs. what requires restricted access
- 2.Document policies prohibiting CUI and sensitive data on public information systems
- 3.Configure web servers, APIs, and public cloud storage with access controls and encryption
- 4.Implement monitoring and logging on public systems to detect unauthorized data uploads or exposures
- 5.Conduct regular audits and scans to identify misconfigured public systems or exposed sensitive data
- 6.Train personnel on data classification and safe handling of information on public platforms
- 7.Use data loss prevention (DLP) tools to block transmission of classified data to public systems
Evidence auditors look for
- Information classification policy with definitions of public vs. controlled information
- System architecture diagrams showing data flow separation between public and restricted systems
- Access control lists and firewall rules limiting sensitive data to protected networks
- Configuration documentation for web servers, databases, and cloud storage with security settings
- Audit logs showing attempts to access or upload sensitive data to public systems
- DLP tool reports blocking unauthorized data transfers
- Vulnerability scans and penetration test results on public-facing systems
- Employee training records on data classification and safe information handling
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates discovery and classification of data on your public systems, flags exposed sensitive information, and tracks remediation of misconfigurations—eliminating manual scanning and reducing AC.L2-3.1.22 audit risk.
See how GRCWatch handles this control automatically
Start free trial