NIST 800-53 REV 5 • INCIDENT RESPONSE

IR-9(4)Exposure to Unauthorized Personnel

Employ the following controls for personnel exposed to information not within assigned access authorizations: {{ insert: param, ir-09.04_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Controls include ensuring that personnel who are exposed to spilled information are made aware of the laws, executive orders, directives, regulations, policies, standards, and guidelines regarding the information and the restrictions imposed based on exposure to such information.

Practitioner Notes

When someone without proper authorization is exposed to spilled information, you need specific procedures to handle that exposure — this might include briefing them on handling requirements or getting them to sign non-disclosure agreements.

Example 1: If an employee without CUI authorization accidentally views a CUI document, have them sign a non-disclosure acknowledgment form. Brief them on what they saw and their obligation not to discuss or distribute it. Document this interaction in the incident record.

Example 2: For classified spillage involving unauthorized viewers, follow your facility's security procedures: notify your FSO, contact the cognizant security agency, and arrange for a security briefing/debriefing of the exposed personnel. Document everything on the appropriate incident report forms.

More Incident Response Controls

IR-1 Policy and Procedures IR-2 Incident Response Training IR-2(1) Simulated Events IR-2(2) Automated Training Environments