DoD Contractor Considerations for CMMC Practice Guide AC.L1-3.1.22

Note: Important Change as of November 2021
The Department of Defense announced a major overhaul to the Cybersecurity Maturity Model Certification (CMMC) program. No new contracts will feature CMMC compliance requirements until the Department completes its rulemaking process for CMMC 2.0. Read our summary of the changes, Goodbye CMMC 1.0, Hello CMMC 2.0. For more detailed information, visit the CMMC website.

Keiter’s Cybersecurity team will continue to monitor the rollout of the CMMC program and update you on new information and changing requirements for DoD contractors.

CMMC Maturity Level (ML) 1 Practices: Overview of AC.L1-3.1.22

Editor’s note: This article is one of a series of articles about the CMMC Maturity Level (ML) 1 Practices. In these articles we dive in to the CMMC Practice Guides and provide our thoughts about the practices and what contractors should consider. The CMMC ecosystem is still developing, and as those developments occur, we will update these articles accordingly. As such, we hope that these articles represent an evergreen CMMC ML-1 resource.

(source: CMMC ML-1 Assessment Guide)

Overview of AC.L1-3.1.22: Controls for Federal Contract Information and Controlled Unclassified Information

AC.L1-3.1.22 focuses on controls to keep Federal Contract Information (FCI) and Controlled Unclassified information (CUI) off publicly accessible systems, such as your company blog, press releases, and social media.

The internet is a key source for new teaming partners, employees, and customers. As a result, most companies share information on the internet to raise their profile. This could include information about major contract awards or even technical information and best practices related to work the company is doing. AC.L1-3.1.22 and the related Assessment Objectives are intended to control the publishing process.

The Assessment Objectives for this practice are fairly straightforward and should not present a huge technical challenge for most organizations.

To prevent unauthorized posting, organizations need to know who has access to publish information publicly and who is authorized to approve content [a]. Companies should think about access to publish and authorization to approve as two separate functions. For example, it will likely be someone on a web team who has the technical ability to publish content, but the web team is not likely going to be the individuals writing a press release announcing a new teaming partnership. As a result, the people on the web team need to know who is authorized to give them instructions to publish content. Given this, we recommend organizations maintain lists of individuals with the technical capabilities to publish and the authorization to approve publishing information on the company website and social media.  To achieve the Assessment Objectives, the authorization process should include someone with the capability to identify FCI and CUI in a publication, such as a government contracts team member or a compliance officer.

[b] Written procedures should be documented to govern the activities described in Assessment Objectives [c], [d], and [e].  Although CMMC Maturity Level 1 does not require policies, we recommend that organizations extensively document requirements relative to this practice because it is very likely to involve individuals from multiple departments including contracting, technology, marketing, and executives.

As described in [a], a company should know who is authorized to approve content prior to being published. These individuals should perform a documented review and approval of all content prior to being published [c]. An assessor may ask to see evidence that content posted publicly was approved by an authorized individual in accordance with the procedure.

This practice also requires some type of detective review process [d] to compliment the preventative approval procedure required by [c]. We recommend that organizations institute a monthly process where all content that was published during the preceding month is reviewed by an appropriate person to determine if FCI/CUI was inadvertently posted. This review should be documented and maintained as evidence for your assessors.

Key to Success

This practice truly demonstrates that CMMC compliance requires the entire organization to be invested in the associated controls, even some organizational departments that might not be accustomed to enforcing security compliance requirements, such as a Marketing. Great care should be taken to ensure all individuals in this process are appropriately trained to perform all elements of the Assessment Objectives.

Last, the practice requires procedures to remove FCI/CUI if it is discovered that it was inappropriately published [e]. For example, if the monthly review [d] identifies inappropriate disclosures, there should be a process in place to notify the appropriate individual or team with the ability to remove the information. This procedure should be documented [b] along with the other procedures described in this practice.

Conclusion

Relative to many of the other practices, this CMMC practice requirement is fairly straight forward. It simply aims to ensure FCI/CUI is not accidentally published to the internet. Although it should not pose significant technical challenges, compliance with this practice will likely require participation from departments and individuals not typically involved in cybersecurity. As a result, we recommend creating a well-crafted procedure and/or policy that describes the process and who is authorized to approve publishing content. Additionally, we recommend providing training for those involved to ensure they have the motivation and understanding required to consistently perform their responsibilities.

Interested in learning more about CMMC services for your defense contracts? Contact us. We are here to help.