AC.L2-3.1.22 — Control CUI on publicly accessible systems
Control CUI posted or processed on publicly accessible systems.
Verbatim NIST SP 800-171 Rev 2 requirement text (3.1.22).
How it's scored
1 point deducted from your SPRS score if unmet.
AC.L2-3.1.22 can never sit on a POA&M, regardless of your score: it is one of the six requirements 32 CFR 170.21(a)(2) excludes from Plans of Action & Milestones at conditional certification. It must be fully implemented before a Level 2 assessment can succeed.
What an assessor checks: the 5 assessment objectives
NIST SP 800-171A determination statements, verbatim. A CMMC Level 2 assessor marks AC.L2-3.1.22 MET only when every applicable objective is satisfied — and examines evidence, not assertions.
| Objective | Determination statement |
|---|---|
| 3.1.22[a] | individuals authorized to post or process information on publicly accessible systems are identified. |
| 3.1.22[b] | procedures to ensure CUI is not posted or processed on publicly accessible systems are identified. |
| 3.1.22[c] | a review process in in place prior to posting of any content to publicly accessible systems. |
| 3.1.22[d] | content on publicly accessible information systems is reviewed to ensure that it does not include CUI. |
| 3.1.22[e] | mechanisms are in place to remove and address improper posting of CUI. |
Where do you stand on AC.L2-3.1.22?
The free Muster Score walks all 110 requirements — including every objective above — and computes your exact SPRS score in your browser. No signup, no upload, and your answers never leave your device.
Get your free Muster Score →Requirement and objective text: NIST SP 800-171 Rev 2 / SP 800-171A (verbatim). Scoring: DoD Assessment Methodology v1.2.1; POA&M eligibility: 32 CFR 170.21. Muster is independent and not affiliated with the U.S. Department of Defense or the Cyber AB; this page is compliance information, not legal advice or a certification.