Shared resources create risk if not properly controlled. SC.L2-3.13.4 requires you to implement controls that prevent one user from accessing another user’s data through shared systems, shared folders, or temporary files. The assessor will look at your shared resources and test whether access controls are working. This practice complements AC.L2-3.1.1 (access control) and MP.L2-3.8.1 (media handling within the CUI boundary).
What the assessor is actually evaluating
The assessor will check:
Inventory of shared resources: You should be able to list all shared folders, shared printers, shared applications, and other resources where CUI might be stored.
Access control policies: Shared resources should have documented rules about who can access them. For example, a folder named “HR” should only be accessible to HR staff.
Technical enforcement: File share permissions should reflect your policies. The assessor may test by attempting to access a shared folder with an unprivileged account to verify they are blocked.
What a realistic SSP definition looks like
Policy: “The organization controls access to shared resources through file share permissions, group policies, and access control lists. Shared folders are created with restrictive permissions. By default, only the owner or authorized groups have read/write access. General ‘Everyone’ permissions are prohibited. Temporary files are not stored on shared systems. Shared resources are audited quarterly to ensure permissions remain appropriate.”
Supporting details:
- Shared folder inventory: Documented in a spreadsheet with folder name, location, owner, and list of authorized users/groups.
- Access control: Permissions are assigned to AD groups rather than individual users. For example, the “HR-Shared” folder has read/write access only for the “HR Team” group.
- Prohibition on broad permissions: The “Everyone,” “Domain Users,” and “Authenticated Users” groups are not granted write access to any shared folder.
- Temporary file management: Shared systems have disk cleanup policies that purge temporary files weekly.
- Quarterly audits: IT manager reviews share permissions against the inventory and business needs.
How to present your evidence
- Shared resource inventory: A spreadsheet or document listing all shared folders, their purpose, owner, and authorized user groups.
- Access control policy document: Describes how shared resources are created, configured, and maintained.
- Permission audit reports: Show the current permissions on a sample of shared folders (e.g., 5-10 folders). Display who can access each folder and verify permissions match business need and policy.
- Group membership verification: For shared resources controlled via AD groups, show the groups and their members. Confirm that inappropriate groups (Everyone, Domain Users) are not granted access.
- Testing evidence: If possible, show that you tested access by attempting to access a restricted share with an unprivileged account and were denied access.
Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.
Assessor: “Tell me about your shared resources. What shared folders do you have?”
You: “We have 12 shared folders for departments like HR, Finance, Engineering, and general company information. Access is restricted to the relevant department.” [Pull up the shared folder inventory]
Assessor: “Show me the permissions on the Finance folder.”
You: [Pull up share permissions and NTFS permissions showing the Finance folder is accessible only to the Finance group, not to Everyone or other departments]
Assessor: “How do you ensure these permissions stay correct?”
You: “We audit all shared folder permissions quarterly and compare them against our inventory. Any inappropriate permissions are corrected immediately.” [Pull up the most recent audit report]
Common failures
Overly permissive share permissions: A shared folder is set to “Everyone can read/write.” Any user on the network can access sensitive data.
No inventory of shared resources: You cannot list all your shared folders and who should have access. The assessor will discover shares you were not tracking.
Inconsistent or forgotten access controls: A user left the company six months ago, but they still have access to shared folders because the access control was never removed.
Shared temporary files: CUI is left in a shared temp folder because individual users are not cleaning up their temporary files.
Restricted share permissions: All shared folders are set to specific groups or users. No “Everyone” permissions. Access is clear and intentional.
Quarterly permission audits: Documented reviews of share permissions ensure they remain appropriate and inappropriate access is removed.
Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.
If you use an MSP/MSSP
If your MSP manages file sharing, request an inventory of all shared resources and their permissions. Ensure the MSP is auditing permissions regularly. You are responsible for ensuring shared resources are properly controlled. Request quarterly permission audit reports and review them with the MSP.
This guide is for reference only and does not replace official CMMC documentation or professional compliance advice.