Mapped to NIST 800-171 Requirement: 3.1.21
CMMC Assessment Objective: AC.L2-3.1.21[a]
What This Objective Means
Your organization must maintain visibility into all publicly accessible systems, including but not limited to:
• Company websites and marketing platforms
• Web applications and customer portals
• Email gateways
• Cloud management consoles
• Remote access services (e.g., VPNs, RDP, Citrix)
This objective is foundational to implementing protections that prevent unauthorized access to CUI through public interfaces.
Why It Matters
Public-facing systems are inherently at higher risk of:
• Exploitation via internet-based attacks
• Credential stuffing or brute-force attempts
• Vulnerability scans and enumeration
Understanding which systems are exposed to the internet is the first step in hardening them and isolating them from CUI.
How to Implement It
• Conduct an external network scan to identify internet-facing IP addresses, domains, and ports
• Build and maintain an inventory of:
◦ Public web servers
◦ Remote access portals
◦ APIs exposed externally
◦ DNS and email services
• Document each system’s business purpose, responsible owner, and risk profile
• Map public systems to your broader network diagram and CUI segmentation strategy
Evidence the Assessor Will Look For
• A documented inventory of public-facing systems
• Network diagrams showing boundaries between public and internal systems
• External scan reports or penetration testing results identifying exposed services
• System Security Plan (SSP) entries listing internet-accessible components
Common Gaps
• Public systems are deployed but not tracked or documented
• CUI is stored or processed on publicly accessible systems
• Internet-facing systems connect directly to internal or CUI-hosting systems
How Cuick Trac Helps
Cuick Trac supports this requirement by:
• Helping isolate CUI environments from public-facing systems through enclave architecture
• Providing guidance for identifying and documenting public system exposure
• Supporting secure access models that reduce reliance on publicly exposed services
• Offering tools to review exposure and monitor for unauthorized access attempts
With Cuick Trac, CUI is kept away from public systems—and your public systems are monitored, hardened, and documented.
Final CTA
If it’s connected to the internet, it must be tracked, protected, and separated from CUI.
Schedule a Cuick Trac demo and secure your perimeter—starting with visibility.