Evidence – AC.L2-3.1.22
Control Publicly Accessible Content
Control Overview
This document describes the evidence used to demonstrate implementation of AC.L2-3.1.22, which requires control of information posted or made available on publicly accessible systems.
This evidence supports the control response documented in the System Security Plan (SSP).
Evidence Objectives
Evidence for this control demonstrates that:
- Publicly accessible content is reviewed and approved
- CUI is not posted to public systems
- Controls exist to prevent unauthorized public disclosure
Evidence Artifacts
1. Public Content Review and Controls
Evidence demonstrating control of public content may include:
- Approval process for publishing public-facing information
- Restrictions preventing CUI from being posted publicly
- Configuration limiting who can publish content externally
Examples of acceptable sources:
- Microsoft 365 tenant settings governing external publishing
- SharePoint or Teams external access controls
- Google Workspace sharing and publishing restrictions
Evidence Retention
Evidence supporting this control is retained in accordance with organizational policy and contractual requirements and is available for review during assessment.
Notes
Publicly accessible systems must not expose CUI and must be governed by explicit approval and access controls.