Implementing 3.1.22 from NIST SP 800-171 Rev 2

Organizations should prevent the release of nonpublic information on systems accessible to the public. Systems accessible to the public include websites and social media. Organizations should document authorizations for individuals permitted to post content on public systems. Organizations should document and follow two defined procedures related to this practice. One procedure should define steps for reviewing information before its release. Another should detail actions for removing nonpublic information when discovered.

This blog will discuss the following topics around 3.1.22:

• A Brief History
• Practice Statement
• Assessment Objectives
• NIST SP 800-53 Mapping
• Analysis of Discussion
• DoD Criticality
• Scope of Applicability
• Inheritance
• Implementation‍
• Policy Statements
• Continuous Monitoring Tasks‍
• Proposed Rev 3 Changes

In June 2015, NIST introduced special publication (SP) 800-171. NIST retained the identification number of 3.1.22 through the first and second revisions. NIST SP 800-171 Revision 3 has changed this requirement's number to 03.01.22.

The cybersecurity maturity model certification (CMMC) rule will verify SP 800-171 Rev 2.  CMMC 1.02 numbered this practice AC.1.004 then AC.L1-3.1.22 under CMMC 2.0. This practice applies to organizations seeking compliance within any level of CMMC.

As of 12/22/23, CMMC 2.1 creates two numbers for this practice:

• CMMC Level 1 uses the label AC.L1-B.1.IV. Section b(iv) references the Federal Acquisition Regulation (FAR) clause 52.204-21.

• CMMC Level 2 uses the label AC.L2-3.1.22. AC identifies the access control domain. L2 identifies the applicability to CMMC Level 2. 3.1.22 references the original number from NIST SP 800-171 Rev 2 (3.1.22).

The level 1 practice defines nonpublic information as Federal Contract Information (FCI). The level 2 practice defines nonpublic information as Controlled Unclassified Information (CUI).

NIST derived seventy-nine security requirements from SP 800-53 Rev 4. Below is the original language from AC-22 within SP 800-53 Rev 4:

 NIST abbreviated the language for 3.1.22 in SP 800-171 to:

NIST SP 800-171A provides assessment procedures for the corresponding SP 800-171 practices. These procedures apply assessment methods to assessment objects. Assessment methods include examination of artifacts, interviews of personnel, and tests of mechanisms. The assessor evaluates each part to produce a finding. A “satisfied” finding indicates an acceptable implementation result. A finding of “other than satisfied” indicates potential anomalies.

The assessment objectives for 3.1.22 contain five parts:

Appendix D within SP 800-171 maps security requirements to SP 800-53 Rev 4 controls. This mapping relates 3.1.22 to AC-22.

We mapped these five objectives to the closest SP 800-53 Rev 5 control parts. We also used NIST IR 8477 to define the nature and strength of the relationships. The findings indicated that:

• AC.L2-3.1.22(a) is equal to AC-22(a)
• AC.L2-3.1.22(b) intersects with AC-22(b) (moderate strength)
• AC.L2-3.1.22(c) is equal to AC-22(c)
• AC.L2-3.1.22(d) is a subset of AC-22(d) (strong strength)
• AC.L2-3.1.22(e) is a subset of AC-22(d) (nominal strength)

The 3.1.22 discussion draws on the supplemental guidance from AC-22. 

NIST incorporates the highlighted text from AC-22 into the 3.1.22 discussion:

The last two sentences of the CMMC Assessment Guide discussion are new:

Organizations should identify individuals authorized to post FCI/CUI onto public systems. They should review the information before posting onto public systems. This review ensures that nonpublic information is not included.

The CMMC Assessment Guide also provides a practical guide for further discussion. This section simplifies the concept by including actionable steps:

Do not allow FCI/CUI to become public. Always safeguard the confidentiality of FCI/CUI. Control the posting of FCI/CUI on company-controlled websites or public forums. Control the exposure of FCI/CUI in public presentations or on public displays. Identify users allowed to publish information on systems accessible to the public. This includes your company website. Put in place a review process before posting such information. If discovered, have procedures to remove FCI/CUI and alert the appropriate parties.

The CMMC Assessment Guide also provides an example:

Your company decides to start issuing press releases about projects. Your company receives FCI/CUI from the government as part of its DoD contract. Recognize the need to manage controlled information. Meet with the employees who write the releases and post information. Establish a review process [c] before posting it on the company website [a,d]. Limit employee authorizations to post to the website [a].

The NIST SP 800-171 DoD Assessment Methodology Version 1.2.1 assigns a 1-point value to this practice. Failing to control content made public has a limited effect on data security. CMMC section 170.21(iii)(B) removes the eligibility of limited deficiency in this practice. This practice aligns with the basic cybersecurity safeguards requirements of 52.204-21.

Appendix C within NIST SP 800-53 Rev 5 discusses three implementation approaches:

• (S) implemented by an information system through technical means
• (O) implemented by an individual through nontechnical means
• (O/S) implemented by an organization, system, or combination of the two

NIST defines the implementation of the corresponding SP 800-53 controls as:

• AC-22 as (O) organizational

The crosswalk suggests that 3.1.22 requires a nontechnical implementation. The Defense Contract Management Agency (DCMA) published guidance for assessing SP 800-171.  The DCMA Guide identifies documents as the relevant evidence for parts (a) and (b). Parts (c), (d) and (e) list artifacts as the relevant evidence. We concluded all parts of this practice are non-technical.

The scope focuses on the process of making information available to the public. This includes your website and social media accounts. This practice is unique because these are out-of-scope technology components. The relevant procedures likely include members of your marketing department.

‍Microsoft Azure‍

Microsoft’s customer responsibility matrix indicates that AC-22 is an inheritable control. 

Although Microsoft allows full inheritance of this control relative to their systems, contractors are still required to implement this control for any publicly accessible systems that they operate. 

Amazon AWS

Amazon’s customer responsibility matrix indicates that AC.L2-3.1.22 is a shared control.

By design, the resources deployed in AWS Accounts are not public. Additionally, AWS does not allow direct public access to any account. AWS also enables AWS Config in all accounts and deploys AWS Config Managed Rules to detect if any EC2 instance is assigned a Public IP.

Information stored in S3 is not publicly accessible by design and by default. Customers can leverage AWS Config Managed rules s3-bucket-public-read-prohibited and s3-bucket-public-write-prohibited to detect if a bucket is made public. These rules will run every time a new bucket is created, when an existing bucket is modified, and every 24 hours.

To further limit the access based on the organizational security policies and procedures customers can deploy:

• A Firewall in Transit Account for ingress and egress traffic monitoring to and from public network
• Security Groups within each Account and configure inbound and outbound rules 

AWS customers are responsible for the following:

1. Designating individuals authorized to post information onto a publicly accessible information system.
2. Training authorized individuals to ensure that publicly accessible information does not contain nonpublic information.
3. Reviewing the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included.
4. Reviewing the content on the publicly accessible information system for nonpublic information [<Organization's> Assignment: at least quarterly] and removing such information, if discovered.

Google Workspace

Google’s CMMC Implementation Guide indicates that AC.L2-3.1.22 is a customer control.

When configured correctly, the following key service(s) in Google Cloud Console may be used to support this control:

• Cloud Storage Public Access Prevention - Provide a strong, centralized way to prevent public access to Cloud Storage buckets, overriding individual bucket/object permissions that might allow public access.
• IAM - Control who has permission to configure resources, including potentially making them public.
• Identity-Aware Proxy (IAP) - Secure web applications and other resources, ensuring they are not publicly accessible without authentication.
• VPC Service Controls - Create perimeters around sensitive data stores to prevent data exposure.
• Cloud DLP (Data Loss Prevention) - Scan storage and data streams to detect potential CUI exposure.

Organization Policies - Help prevent configurations that lead to public accessibility.

Let's start with part (a). Identify individuals authorized to post information to the website or social media accounts. Assessors will want to know the names of the authorized individuals. Create a list of users authorized to post content to systems accessible to the public.

Parts (b) and (c) look for an established procedure for posting information. This procedure may start with the individual creating a draft of content to publish. Part (C) instructs the procedure to include a review of this draft. Assign the review responsibility to an individual trained to identify FCI/CUI. Note that members of the marketing team may not receive this training.

FCI is information not releasable to the public. Organizations may receive or create FCI under a Federal contract. FCI does not include information provided by the Government to the public. This includes information on public websites or simple transactional information to process payments.

Controlled unclassified information (CUI) is a type of FCI. CUI includes information the Government creates or possesses. It also includes information an entity creates or possesses for the Government. CUI has governance permitting an agency to handle it using safeguarding controls. CUI does not include classified information. It excludes some information a nonfederal entity possesses in its systems. This exclusion applies to information that:

• Did not come from an executive branch agency or an entity acting for an agency, or
• Was not created or possessed by or for, an executive branch agency or an entity acting for an agency.

The Department of Defense has created free training on CUI. Organizations working in the defense industrial base should train employees to recognize CUI. Training should extend to individuals posting or reviewing content on public systems. 

Part (d) ensures that the organization follows procedures when posting public information. Organizations should document these reviews to establish records of content reviews before publishing. Here is an example procedure for reviewing content published on public systems:

1. Individuals authorized to post public information create a draft of new content. 
2. An authorized reviewer ensures that drafted content does not contain FCI or CUI.
3. The reviewer documents the review of drafted content to include the following information:
   1. Content writer name and draft submission date
   2. Reviewer name and review date
4. The reviewer approves content for public release, or
5. Marks content containing nonpublic information and returns it to the content writer.
6. Content writers must resubmit edited content for approval after receiving markings.
7. Authorized individuals only publish approved content to the organization’s website and social media.

Part (e) establishes a procedure for removing nonpublic information when discovered. Here is an example procedure that may help address the first and last part of this practice:

1. Notify the following upon discovery of nonpublic information on public systems:
   1. Individuals trained to identify FCI/CUI
2. When alerted, trained individuals verify the presence of nonpublic information within 24 hours.
3. Trained individuals prepare a brief and document the following:
   1. Web pages or social media suspected to contain nonpublic information
   2. Identification date of the content 
   3. Name of the person who made the discovery
   4. Determination of whether the suspected information contains nonpublic information
   5. If applicable, categorize the nonpublic information (FCI, CUI, etc.)
   6. If applicable, mark any nonpublic information
4. The briefing should remain protected based on the relevant safeguarding requirements. The reviewer sends the briefing to the following individuals:
   1. Marketing department head
   2. Executive leadership team
5. The marketing department removes any nonpublic information identified by the reviewer. After removing nonpublic information from the public system(s), marketing:
   1. Confirms of the removal of nonpublic information
   2. Identifies the individual(s) responsible for publishing nonpublic information  
   3. Identifies the date the publication containing nonpublic information
6. Marketing updates the brief and sends it to the Executive leadership team.
7. The Executive leadership reviews the briefing. The organization may take further actions based on the nature of the information disclosed.

Microsoft provides guidance that helps explain the potential steps for meeting these requirements. They acknowledge the need for documented policies and procedures. Configurations within Entra ID can enforce access permissions to nonpublic information.

Entra ID (Azure AD)

• Grant a user access to Azure resources

‍ATX Defense published similar instructions for Google Workspace. They also recommend developing a process around reviewing information before public release. They recommend defining a process to handle inadvertent disclosures of nonpublic information. Creating drive labels helps categorize nonpublic information within Google Drive. Using Workspace DLP can help prevent data loss.

Several statements with the CMMC Access Control Policy template align to 3.1.2:

Publicly Accessible Content

Authorizations to post or process information on publicly accessible systems will be documented in the access management database.

Content on publicly accessible systems will be reviewed according to defined procedures to ensure it does not contain FCI and CUI prior to posting.

Publicly accessible systems shall be reviewed quarterly by designated security personnel to ensure that sensitive information is not posted or processed by these systems.

A continuous monitoring task verifies that controls produce the desired outcome(s). The practice 3.1.22 has two desired outcomes:

• Prevent inadvertent disclosures of nonpublic information on systems accessible to the public
• Remove nonpublic information from systems accessible to the public when identified

Organizations should review content on systems accessible to the public for nonpublic information. The FedRAMP Moderate baseline specifies a quarterly review [AC-22(d)]. Nonpublic information includes:

• Information protected under the Privacy Act, 
• Federal Contract Information, 
• Controlled Unclassified Information and 
• Proprietary information. 

Other continuous monitoring activities may include:

• Annual CUI training for individuals authorized to:
  • Review content drafted for publication on systems accessible to the public
  • Post information to the organization's website and social media.

NIST SP 800-171 Rev 3 aligns 03.01.22 with AC-22 from SP 800-53 Rev 5. There are only three parts to 03.01.22.

• Part (a) requires training for individuals authorized to post public information.
• Part (b) requires a periodic review of content for CUI on systems accessible to the public.
• Part (c) requires the removal of CUI from systems accessible to the public if discovered.

The crosswalk below shows the mapping of these requirements back to related parts of 3.1.22 from Revision 2:

Conclusion

Manage the risk of disclosing nonpublic information through your website and social media. Train employees posting and reviewing content on systems accessible to the public. Define and follow a process to review content before publication. Establish records associated with these reviews. Define a process to remove nonpublic information if discovered on public systems. Establish records associated with responses to nonpublic information discovered on public systems.