If only the cybersecurity risk of oversharing online was common knowledge. We know people are still putting themselves in danger with how much information they share. All that information is “out there” once posted, and mostly uncontrolled. Other than the unpopular opinion or embarrassing anecdote here and there from our personal lives, once we’re using social media for business purposes, oversharing can mean the difference between CMMC Certification and finding ourselves out-of-compliance. The CMMC (Cybersecurity Maturity Model Certification) captures this necessity within its Access Control (AC) & Systems and Communications Protection (SC) domains. Organizations typically face these while marketing and advertising. Sharing your DoD-contracted work (however impressive it may be) can at times leak controlled information. It is important to manage the employees and the public-content process, including creating, reviewing, releasing, posting, and publishing this information.

Practice AC.1.004 serves as the first appearance of social media security in the CMMC and states the requirement to control information made publicly accessible. SC.3.193 takes this further as a level 3 practice and specifically calls for the requirement of policy to outline the publishing of Controlled Unclassified Information (CUI) to “externally-owned, publicly accessible” websites, LinkedIn, Facebook, and Twitter. This policy should outline the workflow of content creation as well as the approval process; including a list of who can approve publishing. Of course, all practices at Level 3 Maturity require documented policies, procedures, and security plans. In addition to the storage, processing, and transmission of controlled unclassified information (CUI), the publication of this data must be tightly restricted.

AC.2.007 touches upon another practice that relates to social media governance: Least Privilege. Employees should be given the least amounts of system access rights needed to accomplish their job role. This relates to social media in that not every team member requires the ability to publish. Analyst permissions suffice for those that need performance metrics and do not need the added responsibility of managing the dissemination of information along publicly accessible channels. A desktop reference guide outlining data handling requirements can provide great direction for your marketing/communications department, and across all departments, really.