AC.L1-3.1.22 — Control CUI posted or processed on publicly accessible systems.
What this control requires
Control CUI posted or processed on publicly accessible systems.
Source: CMMC L1 v2.13 AC.L1-3.1.22 / FAR 52.204-21(b)(1) / NIST SP 800-171 R2 3.1.22 (official control text).
Why this matters
This control prevents accidental or intentional disclosure of Controlled Unclassified Information on systems the public can access without authentication. It matters because once CUI appears on a public website, SharePoint site with anonymous access, or publicly accessible cloud storage bucket, the organization loses control over who sees it and how it spreads. The threat is twofold: competitors or adversaries gain intelligence from leaked contract details, technical specifications, or customer data, and the organization faces regulatory penalties, contract termination, and reputational harm. Organizations must designate who can publish to public systems and enforce mandatory review before content goes live.
What evidence assessors expect
Assessors typically look for: PDF, screenshot, CSV export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on AC.L1-3.1.22.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →