AC.L2-3.1.9 Privacy & Security Notices

CMMC Practice AC.L2-3.1.9 – Privacy & Security Notices: Provide privacy and security notices consistent with applicable CUI rules.

Links to Publicly Available Resources

CMMC Level 2 Assessment Guide
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2.
DoD Consent Banner with FAQ
This link provides the standard banner language used within the Department of Defense along with a list of FAQs.
SANS Whitepaper – Logon Banners
This whitepaper from SANS discusses elements of a logon banners specific to the United States.
The University of Tennessee – System/Network Login Banners
This link from the Information Security Department at the University of Tennessee provides an example login banner that could be used for other organizations.
YouTube – NIST 800-171 Control 3.1.9 – Provide privacy/security notices consistent with applicable CUI rules.
In this edition of the On Call Compliance Solutions Compliance Tip of the Week, we discuss how system use notifications can be implemented using messages or warning banners displayed before individuals log in to organizational systems. Let’s talk about NIST 800-171 Control 3.1.9 -- Provide privacy and security notices consistent with applicable CUI rules.
Youtube – Configure Login Banner on Cisco Devices
This video shows administrators how to configure a logon banner for Cisco devices.
YouTube – How to Display Windows Server Logon Message
This video shows administrators how to configure a logon banner for Microsoft Windows computers.

Discussion [NIST SP 800-171 R2]
System use notifications can be implemented using messages or warning banners displayed before individuals log in to organizational systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Based on a risk assessment, organizations consider whether a secondary system use notification is needed to access applications or other system resources after the initial network logon. Where necessary, posters or other printed materials may be used in lieu of an automated system banner. Organizations consult with the Office of General Counsel for legal review and approval of warning banner content.

Further Discussion
Every system containing or providing access to CUI has legal requirements concerning user privacy and security notices. One method of addressing this requirement is the use of a system-use notification banner that displays the legal requirements of using the system. Users may be required to click to agree to the displayed requirements of using the system each time they log on to the machine. This agreement can be used in the civil and/or criminal prosecution of an attacker that violates the terms.
The legal notification should meet all applicable requirements. At a minimum, the notice should inform the user that:

information system usage may be monitored or recorded, and is subject to audit;
unauthorized use of the information systems is prohibited;
unauthorized use is subject to criminal and civil penalties;
use of the information system affirms consent to monitoring and recording;
the information system contains CUI with specific requirements imposed by the Department of Defense; and
use of the information system may be subject to other specified requirements associated with certain types of CUI such as Export Controlled information.