AC.L2-3.1.22 — Control CUI posted or processed on publicly accessible systems.

What this control requires

Control CUI posted or processed on publicly accessible systems.

Source: CMMC L2 v2.13 AC.L2-3.1.22 / NIST SP 800-171 R2 3.1.22 (official control text).

Why this matters

Public-facing systems—websites, customer portals, file shares, collaboration spaces—are visible to anyone on the internet. If CUI accidentally appears there, adversaries, competitors, or unauthorized parties gain immediate access without needing credentials or exploits. This control prevents inadvertent disclosure by establishing who can publish to public systems, mandating pre-publication review, and ensuring technical barriers exist to stop CUI from reaching public endpoints. It protects sensitive contract data, technical specifications, employee information, and proprietary methodologies from landing where search engines and threat actors can harvest them.

What evidence assessors expect

Assessors typically look for: signed letter, screenshot, CSV export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls