Overview:
The organization:
a. Designates individuals authorized to post information onto a publicly accessible information system;
b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
c. Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and
d. Reviews the content on the publicly accessible information system for nonpublic information [Assignment: organization-defined frequency] and removes such information, if discovered.
Supplemental Guidance:
In accordance with federal laws, Executive Orders, directives, policies, regulations, standards, and/or guidance, the general public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act and proprietary information). This control addresses information systems that are controlled by the organization and accessible to the general public, typically without identification or authentication. The posting of information on non-organization information systems is covered by organizational policy.
Related Controls:>/b> AC-3, AC-4, AT-2, AT-3, AU-13
Action Items:
1) Create a Social Media Policy
2) Create processes around reviewing and approving and publicly posted content
Related Documents:
1) Access Control Policy
2) Data Classification Policy
3) Social Media Policy
Additional Guidance:
Moderate FedRAMP-Defined Assignment / Selection Parameters
AC-22 (d) [at least quarterly]
Moderate Additional FedRAMP Requirements and Guidance
none
Article ID: 51
Created: September 25, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/fedramp-publicly-accessible-content-ac-22-51.html