NIST 800-171 Control 3.1.22: Protecting CUI on Publicly Accessible Systems
Control 3.1.22 requires organizations to identify, document, and control Controlled Unclassified Information (CUI) that may be posted or processed on publicly accessible systems. Non-compliance exposes sensitive data and violates DFARS requirements for government contractors. This guide walks you through implementation, evidence collection, and continuous monitoring.
What this means
This control mandates that you cannot allow CUI to be publicly accessible without explicit authorization and protective measures. You must inventory all systems that touch CUI, verify they're not publicly exposed, and implement technical or procedural controls to prevent unintended disclosure. If public access is necessary for business reasons, you must document the authorization, apply encryption, redaction, or other safeguards, and continuously monitor for violations.
How to comply
- 1.Inventory all systems that process, store, or transmit CUI and classify them as internal or public-facing
- 2.Conduct a technical audit to verify no CUI is currently accessible on public systems (web crawling, API testing, database exposure checks)
- 3.For any CUI that must remain on public systems, document explicit authorization from a data owner or compliance officer
- 4.Implement technical controls: encryption in transit and at rest, data masking, tokenization, or redaction of sensitive fields
- 5.Configure access controls so only authorized roles can view, modify, or export CUI from public systems
- 6.Establish a monitoring process to detect and alert on unauthorized CUI exposure (log aggregation, SIEM rules, DLP tools)
- 7.Train developers and content managers on CUI handling policies before deploying to public systems
- 8.Review and test your controls quarterly or after any system or data model changes
Evidence auditors look for
- System inventory spreadsheet mapping all applications, databases, and APIs that touch CUI, with public/internal designation
- Technical audit report showing results of web vulnerability scans, API exposure tests, and public database discovery
- Data owner authorization documents approving CUI on specific public systems, signed and dated
- Configuration documentation for encryption, masking rules, and access control settings on public-facing systems
- DLP or SIEM policy logs showing detection and alerting rules for CUI exposure events
- Quarterly monitoring reports with screenshots showing no unauthorized CUI exposure detected
- Security training records confirming staff completion of CUI handling procedures
- Change logs or deployment records showing controls were implemented and tested before release
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically scans your systems for CUI exposure, tracks authorization and control configurations in a centralized compliance dashboard, and generates audit-ready evidence reports—eliminating manual spreadsheets and reducing the risk of undetected public CUI leaks.
See how GRCWatch handles this control automatically
Start free trial