Control FCI posted or processed on publicly accessible systems
Publicly accessible systems, such as public websites, public cloud storage buckets, public GitHub repositories, and marketing platforms, must not contain Federal Contract Information unless it has been explicitly reviewed and authorized for public release. FCI posted publicly can violate contract terms and government regulations even if the disclosure was accidental. Organizations must have review processes that prevent FCI from reaching public systems.
Implementation steps
- 1
Identify all publicly accessible systems
Inventory every system or service accessible to the public: public websites, public cloud storage (S3 buckets, Azure Blob), public code repositories, marketing platforms, public wikis, and social media accounts. These are the systems at risk of inadvertent FCI disclosure.
aws-s3 github confluence - 2
Implement a review process before publishing
Establish a formal review step before any content is published to a public system. Designate individuals responsible for verifying that content does not contain FCI before it goes public. This is especially important for technical documentation, release notes, and code that may reference contract details or controlled technical data.
github jira confluence - 3
Configure technical controls to prevent accidental exposure
Set default permissions on cloud storage and repositories to private. Use DLP tools to scan outbound content for FCI indicators. Configure public GitHub repositories to block secrets and sensitive data patterns. Audit public buckets and repositories regularly for accidentally exposed files.
aws-macie github-advanced-security trufflehog purview - 4
Train staff on public disclosure risks
Ensure employees understand what FCI is and why it cannot appear on public systems. Cover common failure modes: pasting contract numbers into public Slack channels, committing config files with contract details to public repos, or publishing technical specs that reference controlled data.
knowbe4 proofpoint-security-awareness
Evidence required
Public system inventory
List of all publicly accessible systems and confirmation that FCI is not present on them.
- - Public-facing system register
- - Cloud storage bucket permission audit
Content review process documentation
Written procedure for reviewing content before it is published publicly.
- - Publication review checklist
- - Pre-publish approval workflow documentation
Technical control configuration
Evidence that cloud storage and repositories default to private and are scanned for sensitive content.
- - S3 bucket policy showing private-by-default
- - DLP policy configuration
- - Repository permission settings
Related controls
Limit system access to authorized users, processes, and devices
Authorized Access
Limit system access to permitted transactions and functions
Authorized Access
Verify and control connections to external information systems
External Connections
Identify all users, processes, and devices that access systems
Identification