03.01.22 — (a) Train authorized individuals to ensure that publicly accessible information does not contain CUI. (b) Review the content on publicly accessible systems for CUI and remove such information, if discovered.

What this control requires

(a) Train authorized individuals to ensure that publicly accessible information does not contain CUI. (b) Review the content on publicly accessible systems for CUI and remove such information, if discovered.

Source: NIST SP 800-171 R3 §03.01.22 (official control text).

Why this matters

This control prevents the accidental exposure of Controlled Unclassified Information through public-facing channels like websites, social media, press releases, or downloadable documents. Organizations routinely publish content to engage customers, partners, and the public, but without proper safeguards, employees may inadvertently post sensitive contract details, technical specifications, pricing structures, or personnel information that adversaries can exploit. A single CUI disclosure on a public website can compromise contract security, violate federal regulations, and trigger breach notification requirements. By training content publishers to recognize CUI and implementing systematic reviews of public content, organizations create a human firewall that catches sensitive information before it reaches unauthorized audiences.

What evidence assessors expect

Assessors typically look for: training certificate, PDF, CSV export, screenshot. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls