03.01.21 —

What this control requires

Source: NIST SP 800-171 R3 §03.01.21 (official control text).

Why this matters

This control addresses the restriction of Controlled Unclassified Information (CUI) posted or processed on publicly accessible systems. When organizations expose CUI on public-facing websites, file shares, or cloud storage without proper access controls, they risk unauthorized disclosure to adversaries, competitors, or malicious actors. This includes information inadvertently published through misconfigured web servers, public repositories, or social media. The threat extends beyond direct data theft—exposed CUI can reveal operational details, technical specifications, or personnel information that adversaries use for reconnaissance and targeted attacks. Protecting CUI from public exposure maintains national security interests and contractual obligations with federal agencies.

What evidence assessors expect

Assessors typically look for: PDF, screenshot, configuration export, CSV export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls