Level 5 CMMC - CMMC Practices

AC.2.005  

Reference: CMMC 1.02

Family: AC

Level Introduced: 2

Practice:
Provide privacy and security notices consistent with applicable CUI rules.

CMMC Clarification:
Every system has legal information about user privacy and security. A system-use notification banner displays the legal requirements of using the systems. Users are required to click to agree to the displayed requirements of using the system each time they logon to the machine. You can use this implicit agreement in the civil and/or criminal prosecution of an attacker that violates the terms.
Discuss legal notification requirements with your organization’s legal counsel. This will ensure that they meet all applicable requirements. You should inform the user that:
• you may monitor, record, and subject to audit any information system usage;
• you prohibit unauthorized use of the information system;
• you may subject unauthorized use to criminal and civil penalties; and
• use of the information system indicates consent to monitoring and recording.

Example
You are setting up IT equipment for your organization. You have worked with legal counsel to draft a notification. The system displays the required security and privacy information when anyone logs on to your organization’s machines. You ensure that this notification displays to all users of all of the organization’s machines.

3.1.9

Provide privacy and security notices consistent with applicable CUI rules.

Discussion:
System use notifications can be implemented using messages or warning banners displayed before individuals log in to organizational systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Based on a risk assessment, organizations consider whether a secondary system use notification is needed to access applications or other system resources after the initial network logon. Where necessary, posters or other printed materials may be used in lieu of an automated system banner. Organizations consult with the Office of General Counsel for legal review and approval of warning banner content.

Source: NIST Special Publication 800-171 Rev. 2

AC-8

SYSTEM USE NOTIFICATION

Description:
The information system:
    a. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
        1. Users are accessing a U.S. Government information system;
        2. Information system usage may be monitored, recorded, and subject to audit;
        3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
        4. Use of the information system indicates consent to monitoring and recording;
    b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and
    c. For publicly accessible systems:
        1. Displays system use information [Assignment: organization-defined conditions], before granting further access;
        2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
        3. Includes a description of the authorized uses of the system.

Supplemental Guidance:
System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02