compliance controls are associated with this Policy definition 'Review publicly accessible content for nonpublic information' (b5244f81-6cab-3188-2412-179162294996)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
AC-22 |
FedRAMP_High_R4_AC-22 |
FedRAMP High AC-22 |
Access Control |
Publicly Accessible Content |
Shared |
n/a |
The organization:
a. Designates individuals authorized to post information onto a publicly accessible information system;
b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
c. Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and
d. Reviews the content on the publicly accessible information system for nonpublic information [Assignment: organization-defined frequency] and removes such information, if discovered.
Supplemental Guidance: In accordance with federal laws, Executive Orders, directives, policies, regulations, standards, and/or guidance, the general public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act and proprietary information). This control addresses information systems that are controlled by the organization and accessible to the general public, typically without identification or authentication. The posting of information on
non-organization information systems is covered by organizational policy. Related controls: AC-3, AC-4, AT-2, AT-3, AU-13.
Control Enhancements: None.
References: None. |
link |
4 |
| FedRAMP_Moderate_R4 |
AC-22 |
FedRAMP_Moderate_R4_AC-22 |
FedRAMP Moderate AC-22 |
Access Control |
Publicly Accessible Content |
Shared |
n/a |
The organization:
a. Designates individuals authorized to post information onto a publicly accessible information system;
b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
c. Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and
d. Reviews the content on the publicly accessible information system for nonpublic information [Assignment: organization-defined frequency] and removes such information, if discovered.
Supplemental Guidance: In accordance with federal laws, Executive Orders, directives, policies, regulations, standards, and/or guidance, the general public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act and proprietary information). This control addresses information systems that are controlled by the organization and accessible to the general public, typically without identification or authentication. The posting of information on
non-organization information systems is covered by organizational policy. Related controls: AC-3, AC-4, AT-2, AT-3, AU-13.
Control Enhancements: None.
References: None. |
link |
4 |
| hipaa |
19134.05j1Organizational.5-05.j |
hipaa-19134.05j1Organizational.5-05.j |
19134.05j1Organizational.5-05.j |
19 Data Protection & Privacy |
19134.05j1Organizational.5-05.j 05.02 External Parties |
Shared |
n/a |
The public has access to information about the organization's security and privacy activities and is able to communicate with its senior security official and senior privacy official. |
|
12 |
| NIST_SP_800-171_R2_3 |
.1.22 |
NIST_SP_800-171_R2_3.1.22 |
NIST SP 800-171 R2 3.1.22 |
Access Control |
Control CUI posted or processed on publicly accessible systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
In accordance with laws, Executive Orders, directives, policies, regulations, or standards, the public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act, CUI, and proprietary information). This requirement addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Individuals authorized to post CUI onto publicly accessible systems are designated. The content of information is reviewed prior to posting onto publicly accessible systems to ensure that nonpublic information is not included. |
link |
4 |
| NIST_SP_800-53_R4 |
AC-22 |
NIST_SP_800-53_R4_AC-22 |
NIST SP 800-53 Rev. 4 AC-22 |
Access Control |
Publicly Accessible Content |
Shared |
n/a |
The organization:
a. Designates individuals authorized to post information onto a publicly accessible information system;
b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
c. Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and
d. Reviews the content on the publicly accessible information system for nonpublic information [Assignment: organization-defined frequency] and removes such information, if discovered.
Supplemental Guidance: In accordance with federal laws, Executive Orders, directives, policies, regulations, standards, and/or guidance, the general public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act and proprietary information). This control addresses information systems that are controlled by the organization and accessible to the general public, typically without identification or authentication. The posting of information on
non-organization information systems is covered by organizational policy. Related controls: AC-3, AC-4, AT-2, AT-3, AU-13.
Control Enhancements: None.
References: None. |
link |
4 |
| NIST_SP_800-53_R5 |
AC-22 |
NIST_SP_800-53_R5_AC-22 |
NIST SP 800-53 Rev. 5 AC-22 |
Access Control |
Publicly Accessible Content |
Shared |
n/a |
a. Designate individuals authorized to make information publicly accessible;
b. Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
c. Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and
d. Review the content on the publicly accessible system for nonpublic information [Assignment: organization-defined frequency] and remove such information, if discovered. |
link |
4 |