3.1.22 Control CUI posted or processed on publicly accessible systems.

In accordance with laws, Executive Orders, directives, policies, regulations, or standards, the public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act, CUI, and proprietary information). This requirement addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Individuals authorized to post CUI onto publicly accessible systems are designated. The content of information is reviewed prior to posting onto publicly accessible systems to ensure that nonpublic information is not included.

Actionable Items: Ensure that all outward facing interfaces do not have CUI on them. This would include WEB servers and FTP servers. In the case of FTP servers that you may share CUI information with subcontractors make sure that it is a secure FTP and that each subcontractor has an isolated account on that server and that the information is strictly for that contractor.