Mapped to NIST 800-171 Requirement: 3.13.5
CMMC Assessment Objective: SC.L2-3.13.5[c]
What This Control Means
Every system that is publicly accessible—whether it hosts a login portal, API, cloud interface, or remote access gateway—must be:
• Formally authorized for exposure
• Evaluated for security and CUI risk
• Reviewed through change control or risk assessment procedures
• Documented with a business justification for public access
Authorization confirms that public systems are not created without oversight or left unsecured.
Why It Matters
Without authorization, public-facing systems can:
• Introduce unknown attack surfaces
• Host vulnerabilities that put CUI at risk
• Violate internal or customer security policies
• Become “shadow IT” and escape security monitoring
Authorization protects your organization from uncontrolled exposure.
How to Implement It
1. Require Formal Approval for Public Systems
• Update change control policies to require:
◦ Security review
◦ CUI risk evaluation
◦ Management approval
2. Use an Authorization Checklist Before a system goes live, confirm:
• Business need for public exposure
• Proper access controls
• Encryption in place
• Hardened configurations
• Monitoring enabled
3. Maintain an Authorization Log
• Track:
◦ Who approved the deployment
◦ When approval occurred
◦ Any conditions or mitigation plans tied to approval
4. Link Authorization to Your SSP and Risk Register
• Document which public-facing systems are approved and monitored
• Connect approvals to CUI data flow documentation
Evidence the Assessor Will Look For
• Approval records or change tickets authorizing public-facing systems
• Policies that require formal review and sign-off
• System Security Plan (SSP) entries showing approval status
• Risk assessments or threat models for external-facing assets
• Documentation of controls in place to protect CUI exposed to public systems
Common Gaps
• Public-facing systems exist but were never reviewed or approved
• Approvals are verbal or handled informally without documentation
• No policy requiring security review for public system deployments
• No connection between authorization and CUI protection strategy
How Cuick Trac Helps
Cuick Trac supports this requirement by:
• Enforcing authorization workflows for all public system components
• Tracking approver names, dates, and associated risk justifications
• Flagging systems in your CUI environment that lack proper authorization
• Linking authorized systems to POA&M and change control processes
• Generating audit-ready documentation showing your approval path
With Cuick Trac, every system that faces the public is known, approved, and protected.
Final CTA
If it touches the internet, it needs approval—no exceptions.