Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
a. Designates individuals authorized to post information onto a publicly accessible information system;
b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
c. Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and
d. Reviews the content on the publicly accessible information system for nonpublic information [FedRAMP Assignment: (L)(M)(H) at least quarterly] and removes such information, if discovered.
NIST 800-53 (r4) Supplemental Guidance:
In accordance with federal laws, Executive Orders, directives, policies, regulations, standards, and/or guidance, the general public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act and proprietary information). This control addresses information systems that are controlled by the organization and accessible to the general public, typically without identification or authentication. The posting of information on
non-organization information systems is covered by organizational policy. Related controls: AC-3, AC-4, AT-2, AT-3, AU-13.
References: None.
NIST 800-53 (r5) Discussion:
In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the PRIVACT and proprietary information. Publicly accessible content addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, publicly accessible content addresses the management of the individuals who make such information publicly accessible.
38North Guidance:
Meets Minimum Requirement:
If the system is accessible by the general public without the need for authentication and authorization, then the organization must designate and document personnel who are authorized to post information on the publicly-facing website and provide documented training to personnel who are responsible for such responsibilities. This can be internally-developed training or through a Learning Management System (LMS) module.
Documented activities regarding the review of information by personnel before the information is posted.
Designate personnel to review information posted to publicly-facing websites on a recurring quarterly basis and track such activities in order to provide as evidence of review(s), using a ticketing system or another form of tracking determined to be sufficient by the organization.
Best Practice:
Ensure that all posting activities to a publicly-facing website is done by only trained personnel, reviewed by other trained personnel before the posting takes place, review the publicly-facing website on an at least quarterly basis to verify that the posted information is in deed appropriate for general public viewing/consumption, and conduct a removal of such information that has been posted, but is not appropriate for the general public.
Unofficial FedRAMP Guidance: None.
Assessment Evidence:
LMS modules or tracking sheet showing that specific/designated personnel have been undergone training in regards to posted information on the organization's website.
Tracking system or ticket showing the peer review of information before the posting takes place. Evidence showing that the date/time within the peer review ticket is actually earlier than the actual posting of the information.
Tracking system or ticket as evidence of an at least quarterly review of the general publicly-facing website to ensure that appropriate information is in deed posted and that non-public information is removed.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse