CMMC SC.3.193 - Restrict Publication of CUI on Internet Sites

CMMC SC.3.193 - Restrict Publication of CUI on Internet Sites

Requirement text: SC.3.193: Implement a policy restricting the publication of CUI on externally-owned,
publicly accessible websites (e.g., forums, LinkedIn, Facebook, Twitter).

DISCUSSION FROM SOURCE: CMMC
Define and enforce a policy that restricts employees from publishing or posting CUI on public
websites such as forums and social media outlets.

CMMC CLARIFICATION
Establish a defined and communicated policy to prohibit employees from posting CUI on a
publicly facing website. This includes social media outlets such as Facebook, LinkedIn, and
Twitter. This policy applies to business related and personal posts.

Example
You are a program manager for a contract that uses CUI. To ensure you are protecting your
information correctly, you inform everyone working on the project of your existing policy
that prohibits the posting of CUI on public websites. This includes any job- or industry-
related forums or discussions that may reference your contract work. You include these
instructions in your initial project kick-off briefing and in the briefing to any employees who
join the project once it is underway. You also include a reminder in your company’s annual
security training.

References
• CMMC

    • Related Articles

    • CMMC PE.3.136 - Protect CUI at Alternate Work Sites

      Requirement text: PE.3.136: Enforce safeguarding measures for CUI at alternate work sites. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Alternate work sites may include government facilities or the private residences of employees. Organizations ...

    • Systems and Communications Protection: SP 800-171 Security Family 3.13

      System and communications protection requirements provide an array of safeguards for the system. Some of the requirements in this family address the confidentiality information at rest and in transit. The protection of confidentiality can be provided ...

    • CMMC SC.3.191 - Protect CUI at Rest

      Requirement text: SC.3.191: Protect the confidentiality of CUI at rest. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-17 R2 Information at rest refers to the state of information when it is not in process or in transit and is located on storage devices ...

    • CMMC SC.3.177 - Employ FIPS-Validated Cryptography to Protect CUI

      Requirement text: SC.3.177: Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Cryptography can be employed to support many security solutions including the protection ...

    • CMMC AC.2.016 - Control CUI Flow

      Requirement text: AC.2.016: Control the flow of CUI in accordance with approved authorizations. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Information flow control regulates where information can travel within a system and between systems ...