The AC.L1-B.1.IV requirement under CMMC 2.0 Level 1 and FAR 52.204-21 focuses on ensuring that Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) are not processed, stored, or transmitted on publicly accessible systems without appropriate controls; building a practical compliance checklist helps small businesses operationalize that requirement with specific policies, technical controls, and evidence collection aligned to your Compliance Framework.
Understand the requirement and scope
Start by mapping AC.L1-B.1.IV to your Compliance Framework's artifacts: identify what your organization considers FCI/CUI, list systems classified as "publicly accessible" (public websites, marketing cloud drives, public Git repositories, SaaS forms, customer portals), and document the acceptable processing locations for each information category; this mapping is the foundation of an auditable checklist and should include the applicable FAR clause text and CMMC control reference in the compliance record.
Practical implementation steps (small-business focused)
Implement a concise, actionable set of rules: (1) Policy — publish a short usable policy that explicitly forbids uploading FCI/CUI to any public system and defines acceptable systems (e.g., contractor-managed, IAM-protected systems); (2) Technical controls — deploy DLP (endpoint or cloud-based) to block uploads containing contract numbers or keywords (use regex patterns for contract IDs and common FCI/CUI formats); (3) Access controls — enforce least privilege and MFA for systems that may legally process FCI/ CUI; (4) Inventory — maintain a living inventory of public systems and owners; and (5) Approval and exceptions — create a documented exception process requiring risk acceptance and compensating controls.
Technical control examples and configurations
For small businesses using common platforms, apply practical configs: on AWS, enable Block Public Access for S3, enforce bucket policies that deny PutObject when aws:PrincipalIsAWSService is false or when a request originates without a specific tag, and use IAM condition keys to prevent public ACLs; for Google Drive and Microsoft 365, set DLP rules to detect contract-number patterns and automatically quarantine or block external sharing; for web servers, use WAF rules to sanitize uploads, restrict file types, and set Content Security Policy and HSTS headers to reduce risk. Example AWS CLI snippet (conceptual): aws s3api put-public-access-block --bucket mybucket --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true.
Real-world scenarios and how the checklist prevents them
Scenario 1: A marketing employee uploads an RFP containing FCI to a Google Drive folder and sets the link to "anyone with the link." Prevent it by enforcing DLP detection of contract numbers and auto-revoke sharing, plus training and a visible portal warning. Scenario 2: A developer pushes a repo with internal contract references to a public GitHub repo; mitigate by enforcing signed commits in company repos, pre-commit hooks that scan for key patterns, and GitHub organization policy that blocks public repositories for organization accounts. Scenario 3: An S3 bucket storing deliverables is accidentally left public; mitigate with automated scans (S3 inventory + AWS Config rule checks) and alerting integrated into your compliance evidence logs.
Audit evidence and Compliance Framework integration
Your checklist should mandate specific evidence types for each control: policy documents, system inventory exported as CSV, DLP rule screenshots and test results, IAM policy snippets, sample logs showing blocked uploads (timestamp, user, filename pattern matched), exception request records, periodic scan reports (e.g., cloud scanners showing no public buckets), and training completion records. Store evidence in your compliance repository with cross-references to the Control ID (AC.L1-B.1.IV), the FAR clause, and date-stamped auditor notes to simplify assessment and continuous monitoring.
Risks of non‑implementation and remediation priorities
Failing to control information on publicly accessible systems can lead to unauthorized disclosure, government contract sanctions, loss of future business, and reputational damage; technically, misconfigured storage or poor DLP can enable exfiltration and automated crawlers to index sensitive content. Prioritize quick wins: disable public access on cloud storage, implement basic DLP rules for high-risk patterns, and run an immediate inventory scan for public endpoints—these steps reduce the largest exposure rapidly while you implement longer-term controls.
Compliance tips and best practices
Keep rules simple and enforceable: prefer automatic blocking over detection-only for high-risk items; leverage native cloud controls (block public access, organization policies) before adding third-party tools; schedule quarterly tabletop exercises to review exception records and run simulated upload tests; maintain an "evidence-first" mindset—capture screenshots and logs when you configure controls. For small businesses with limited budgets, use built-in platform DLP and free-tier scanning tools combined with a manual quarterly review workflow tracked in your compliance platform.
Summary: Convert AC.L1-B.1.IV into a short, auditable checklist that combines a clear non-upload policy, inventory of public systems, technical blocking (DLP, cloud public access blocks, IAM), detection with logging, employee training, and documented exception handling; prioritize immediate remediation of public exposures, retain evidence mapped to your Compliance Framework, and treat automated prevention as the default to reduce risk and demonstrate compliance to FAR 52.204-21 and CMMC 2.0 Level 1 assessors.
