← Custodia
Practice 4 of 15·FAR 52.204-21(b)(1)(iv)·ACAccess Control

AC.L1-b.1.iv

Control information posted publicly

Anything posted on your public website, social media, marketing collateral, or anywhere accessible to the public must not contain FCI. Have a clear sign-off process so nobody pastes a customer PO into a LinkedIn post or a case study.

Official text

Control information posted or processed on publicly accessible information systems.

FAR 52.204-21(b)(1)(iv), CMMC Level 1 v2.13 Assessment Guide

What evidence satisfies this

Any one of these, by itself, won't satisfy the practice — but showing a few of them together is what an assessor or a prime contractor expects to see:

  • A one-line policy: "Nothing about a federal contract goes public without owner sign-off."
  • A named person responsible for publishing to the company website and social media.
  • A pre-publication checklist used before posting case studies or PR.
  • Examples of redacted vs original: the SBIR award letter on your About page with dollar amounts redacted, etc.
  • A scrubbed list of public pages (website, LinkedIn, Facebook, GitHub) that has been reviewed for accidental FCI exposure.

Common ways small shops fail this

  • Posting the SBIR award letter or DoD PO photo to LinkedIn before the agency has cleared it for public release.
  • Putting unredacted customer names and dollar amounts in a website case study.
  • Marketing pages that quote prime contract language verbatim, exposing flow-down details.
  • Open GitHub repos containing scripts that hardcode prime contract numbers or base-access details.
  • Press releases drafted by an outside PR firm that lift detail from the award document.

How to fix it in a weekend

  1. 1Pick one person who has to sign off on anything DoD-related being made public.
  2. 2Walk your website, LinkedIn, and any GitHub orgs once. Redact or remove anything that surfaces FCI.
  3. 3Add a one-line "public information" rule to your one-pager.
  4. 4Set GitHub orgs to private by default for anything touching customer work.
  5. 5When a prime sends a press release for you to publish, confirm with the contracting officer before posting.

FAQ

Can I say I have a contract with the DoD on my website?+

Generally yes — the existence of a federal contract is public once the award is announced on SAM.gov. What's restricted is everything else: dollar amounts not made public, deliverable details, prime contact info, base-access details, technical approach.

Related references

Clause

FAR 52.204-21Basic Safeguarding of Covered Contractor Information Systems

Glossary

Federal Contract Information

Doing all 15 yourself? Use the checklist.

Custodia's free CMMC Level 1 checklist walks the same 15 requirements with a self-assessment workflow, generates your SSP and affirmation memo, and posts your SPRS score for you.

Open the checklist →
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements — no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

Take the free SPRS quizStart 7-day free trial

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual — two months free)