CMMC Maturity Level (ML) 1 Practices: Overview of AC.1.004
Editor’s note: This article is one of a series of articles about the CMMC Maturity Level (ML) 1 Practices. In these articles we dive in to the CMMC Practice Guides and provide our thoughts about the practices and what contractors should consider. The CMMC ecosystem is still developing, and as those developments occur, we will update these articles accordingly. As such, we hope that these articles represent an evergreen CMMC ML-1 resource.
|Practice Number: AC.1.004|
|Practice: Control information posted or processed on publicly accessible information systems.|
|[a] individuals authorized to post or process information on publicly accessible systems are identified;|
|[b] procedures to ensure FCI is not posted or processed on publicly accessible systems are identified;|
|[c] a review process is in place prior to posting of any content to publicly accessible systems;|
|[d] content on publicly accessible systems is reviewed to ensure that it does not include FCI; and|
|[e] mechanisms are in place to remove and address improper posting of FCI.|
(source: CMMC ML-1 Assessment Guide)
Overview of AC.1.004: Controls for Federal Contract Information and Controlled Unclassified Information
AC.1.004 focuses on controls to keep Federal Contract Information (FCI) and Controlled Unclassified information (CUI) off publicly accessible systems, such as your company blog, press releases, and social media.
The internet is a key source for new teaming partners, employees, and customers. As a result, most companies share information on the internet to raise their profile. This could include information about major contract awards or even technical information and best practices related to work the company is doing. AC.1.004 and the related Assessment Objectives are intended to control the publishing process.
The Assessment Objectives for this practice are fairly straightforward and should not present a huge technical challenge for most organizations.
To prevent unauthorized posting, organizations need to know who has access to publish information publicly and who is authorized to approve content [a]. Companies should think about access to publish and authorization to approve as two separate functions. For example, it will likely be someone on a web team who has the technical ability to publish content, but the web team is not likely going to be the individuals writing a press release announcing a new teaming partnership. As a result, the people on the web team need to know who is authorized to give them instructions to publish content. Given this, we recommend organizations maintain lists of individuals with the technical capabilities to publish and the authorization to approve publishing information on the company website and social media. To achieve the Assessment Objectives, the authorization process should include someone with the capability to identify FCI and CUI in a publication, such as a government contracts team member or a compliance officer.
[b] Written procedures should be documented to govern the activities described in Assessment Objectives [c], [d], and [e]. Although CMMC Maturity Level 1 does not require policies, we recommend that organizations extensively document requirements relative to this practice because it is very likely to involve individuals from multiple departments including contracting, technology, marketing, and executives.
As described in [a], a company should know who is authorized to approve content prior to being published. These individuals should perform a documented review and approval of all content prior to being published [c]. An assessor may ask to see evidence that content posted publicly was approved by an authorized individual in accordance with the procedure.
This practice also requires some type of detective review process [d] to compliment the preventative approval procedure required by [c]. We recommend that organizations institute a monthly process where all content that was published during the preceding month is reviewed by an appropriate person to determine if FCI/CUI was inadvertently posted. This review should be documented and maintained as evidence for your assessors.
|Key to Success|
|This practice truly demonstrates that CMMC compliance requires the entire organization to be invested in the associated controls, even some organizational departments that might not be accustomed to enforcing security compliance requirements, such as a Marketing.
Great care should be taken to ensure all individuals in this process are appropriately trained to perform all elements of the Assessment Objectives.
Last, the practice requires procedures to remove FCI/CUI if it is discovered that it was inappropriately published [e]. For example, if the monthly review [d] identifies inappropriate disclosures, there should be a process in place to notify the appropriate individual or team with the ability to remove the information. This procedure should be documented [b] along with the other procedures described in this practice.
Relative to many of the other practices, this CMMC practice requirement is fairly straight forward. It simply aims to ensure FCI/CUI is not accidentally published to the internet. Although it should not pose significant technical challenges, compliance with this practice will likely require participation from departments and individuals not typically involved in cybersecurity. As a result, we recommend creating a well-crafted procedure and/or policy that describes the process and who is authorized to approve publishing content. Additionally, we recommend providing training for those involved to ensure they have the motivation and understanding required to consistently perform their responsibilities.
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.