03.01.09: System Use Notification

Control Familly: Access Control

SPRS: N/A

Top Ten Failed Requirement: N/A

Supporting Publications:

N/A

Referenced in: N/A

Control Type: N/A

CPCSC Level 2: 03.01.09

CMMC Level(s): N/A

Derived From: NIST SP 800-53r5

AC-08

Display a system use notification message with privacy and security notices consistent with applicable CUI rules before granting access to the system.

Discussion:

System use notifications can be implemented using messages or warning banners. The messages or warning banners are displayed before individuals log in to a system that processes, stores, or transmits CUI. System use notifications are used for access via logon interfaces with human users and are not required when human interfaces do not exist. Organizations consider whether a secondary use notification is needed to access applications or other system resources after the initial network logon. Posters or other printed materials may be used in lieu of an automated system message. This requirement is related to 03.15.03.

Assessment Methods and Objectives

Examine [SELECT FROM: access control policy and procedures; privacy and security policies, procedures for system use notification; documented approval of system use notification messages; system audit records; user acknowledgements of system use notification messages; system design documentation; system configuration settings; system use notification messages; system security plan; other relevant documents or records]

Interview [SELECT FROM: personnel with information security responsibilities; legal counsel; system developers; system administrators]

Test [SELECT FROM: mechanisms for implementing system use notifications]

NIST SP 800-171A r3 Determining Statements Determine if:

A.03.01.09: a system use notification message with privacy and security notices consistent with applicable CUI rules is displayed before granting access to the system.

The Security Requirements

3.1. Access Control