In this Episode 19 of my NIST SP 800-53 Rev. 5 Access Control series, I wrap up the Access Control family by breaking down AC-22: Publicly Accessible Content. I walk through what the control is really trying to do: make sure the organization designates who is allowed to post publicly, trains those authorized individuals so they don’t accidentally publish non-public info, and puts a review/approval process in place before anything goes live—on the public website or on social media. I also highlight the ongoing requirement to review what’s already posted at an organization-defined frequency and remove non-public content if it’s discovered. I read the Rev. 5 requirement, hit the key points from the discussion, and simplify it into practical language: only vetted and approved information should be made public, and the process needs guardrails so mistakes get caught—especially through regular reviews. Then I go into how I assess/test AC-22 during an SCA or during continuous monitoring/ongoing authorization: I examine the SSP and access control policy/procedures, verify training requirements and actual training records, and request evidence like sample emails or ticketing artifacts (ServiceNow/Jira) showing review and approval prior to posting. I also call out a reality I see often—AC-22 is frequently marked N/A unless the agency truly deals with a lot of public-facing content.