3.1.22 has a weight of – 1 points

(Access Control Family) 22/22

Control CUI posted or processed on publicy accessible systems

Video:

Example of Sysytem Security Plan (SSP):

System Security Plan (SSP) for Control 3.1.22: Publicly Accessible Systems and CUI

1. Control Title: Control of CUI Posted or Processed on Publicly Accessible Systems.

2. Purpose: This SSP ensures that Controlled Unclassified Information (CUI) is protected from inadvertent exposure and is not posted, processed, or stored on publicly accessible information systems.

3. Policy & Implementation:

3.1. ITU Cyber Security Policy Directive: Per company’s directive and the ITU Cyber Security Policy, we prohibit the posting or processing of CUI on any system accessible to the general public.

3.2. Definition of Public Systems: A publicly accessible system is any platform or medium accessible without restriction to the general public, whether digitally via the internet or physically at a particular location.

3.3. Protective Measures: To prevent inadvertent CUI disclosure:

  • We have stringent measures for interfaces like public-facing websites or forms to ensure they neither collect nor display CUI.
  • Regular audits ensure our public platforms and their supporting backend systems remain CUI-free.
  • An established PR review committee evaluates any necessary public communications containing CUI, subjecting them to thorough checks and approvals.

3.4. Training: Employees receive comprehensive training on the importance and methods of safeguarding CUI, including the risks associated with public systems. Periodic reminders bolster this training.

3.5. Incident Management: In case CUI is unintentionally disclosed on a public platform:

  • Procedures are activated for immediate data removal.
  • Affected parties are notified.
  • A post-incident review identifies and rectifies the cause to prevent recurrence.

3.6. Exception Management: All exceptions to this policy must undergo senior management approval and be documented. Before any such exception, the PR review committee ensures the implementation of adequate protection measures.

Example of Plan of Action and Milestones ( POA & M):

Plan of Action & Milestones (POA&M) for Control 3.1.22: Publicly Accessible Systems and CUI


Issue/Weakness Identified: Potential inadvertent exposure of Controlled Unclassified Information (CUI) on publicly accessible information systems.


1. Objective: Strengthen the protection measures for CUI across all publicly accessible platforms and ensure strict compliance to the SSP.


2. Milestones & Actions:

2.1. Review and Strengthen Current Measures:

  • Action: Conduct a comprehensive review of existing protective measures for public-facing interfaces.
  • Completion Date: [Date 1]

2.2. Audit Public Platforms:

  • Action: Carry out an exhaustive audit of all public platforms and their backend systems to identify any unintentional CUI presence.
  • Completion Date: [Date 2]

2.3. Revamp Training Program:

  • Action: Update training materials, focusing on recent incidents or near-misses and practical scenarios. Schedule periodic training sessions for all employees.
  • Completion Date: [Date 3]

2.4. Strengthen Incident Management Protocols:

  • Action: Review and refine incident response procedures to ensure swift action, effective communication, and comprehensive post-incident analysis.
  • Completion Date: [Date 4]

2.5. Review and Strengthen Exception Management Process:

  • Action: Reevaluate the exception approval process to ensure senior management is involved and every exception is documented.
  • Completion Date: [Date 5]

2.6. Reinforce Monitoring and Alerts System:

  • Action: Upgrade monitoring tools to improve real-time detection of CUI on public platforms and set up automated alerts for immediate action.
  • Completion Date: [Date 6]

3. Responsible Parties:

  • System Administrators: In charge of implementing security controls, performing regular checks, and ensuring compliance on public-facing systems.

  • Training and Development Team: Update training modules, schedule training sessions, and ensure training effectiveness.

  • Incident Response Team: Streamline the incident response process and lead post-incident reviews.

  • PR Review Committee: Ensure that no CUI is inadvertently disclosed in public communications.

  • Senior Management: Oversee and approve exceptions to the policy and ensure necessary resources are allocated to address the identified issues.


4. Resources Required:

  • Updated cybersecurity tools and software for monitoring and detection.

  • External consultant for a third-party review and recommendations (optional).

  • Additional training materials and resources.


5. Review and Progress Tracking:

Regular reviews will be conducted every [specific time frame, e.g., quarter] to track the progress of each milestone. Adjustments to the action steps will be made based on the feedback from these reviews.

Example of Company Policy: Control of CUI on Publicly Accessible Systems):

Company Policy: Control of CUI on Publicly Accessible Systems


1. Introduction:

This policy outlines the procedures and guidelines established by [Your Company Name] to prevent the inadvertent exposure of Controlled Unclassified Information (CUI) on publicly accessible information systems.


2. Purpose:

To ensure that Controlled Unclassified Information (CUI) is not inadvertently posted, processed, or stored on publicly accessible systems, and to maintain the security and integrity of company data while adhering to federal regulations and guidelines.


3. Scope:

This policy applies to all employees, contractors, consultants, and other workers at [Your Company Name], including all personnel affiliated with third parties.


4. Policy Statement:

4.1. General: Under no circumstances shall CUI be posted, processed, or stored on any publicly accessible systems.

4.2. Definition of Public Systems: For this policy, a publicly accessible system includes any platform or medium accessible without restriction to the general public. This could be digitally, via the internet, or physically at a specific location.

4.3. Protective Measures:

  • Any public-facing websites, forms, or other interfaces owned or managed by [Your Company Name] should be designed to neither collect nor display CUI.

  • A PR review committee is in place to evaluate any necessary public communications to ensure that no CUI is disclosed inadvertently.

4.4. Training: Comprehensive training will be provided to all employees on the importance of not disclosing CUI on public systems. Periodic refresher training will be scheduled.

4.5. Incident Management: In the event that CUI is accidentally disclosed on a public platform, the company will:

  • Promptly remove the exposed data.

  • Notify the affected parties.

  • Conduct a thorough post-incident review to prevent a recurrence.

4.6. Exception Management: Exceptions to this policy will be rare and must be approved by senior management. Each exception will be documented, and protective measures will be implemented to safeguard CUI.


5. Roles and Responsibilities:

5.1. System Administrators: Responsible for maintaining and updating security controls on public-facing systems and ensuring the non-existence of CUI on such systems.

5.2. Training and Development Team: Ensure all employees are aware of this policy and receive periodic training on it.

5.3. Incident Response Team: Address and manage any incidents where CUI is inadvertently disclosed on public systems.

5.4. PR Review Committee: Evaluate public communications for inadvertent CUI disclosures.


6. Compliance:

Violation of this policy may result in disciplinary action, up to and including termination of employment or contract.


7. Review and Updates:

This policy will be reviewed at least annually or as required by changes in laws, regulations, or company needs.


8. Approvals:

This policy has been approved by:

  • CEO: ____________________________ Date: ________

RELEVANT INFORMATION:

In accordance with laws, Executive Orders, directives, policies, regulations, or standards, the public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act, CUI, and proprietary information). This requirement addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Individuals authorized to post CUI onto publicly accessible systems are designated. The content of information is reviewed prior to posting onto publicly accessible systems to ensure that nonpublic information is not included.

Awareness and Training

Awareness and training  (AT) Family (3 controls): Security awareness training. Role-based training. Insider threat awareness



Resources to consider:

Security Policy Document:

This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

Asset Inventory and Access Control Sheet:

Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

User Account Management Log:

Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

Password and Multi-Factor Authentication Policy:

Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

Process and Script Accountability Log:

Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

Device Access Control and VPN Policy:

Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

Access Control Review and Monitoring Schedule:

Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

User Training and Awareness Materials:

Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.