03.15.03: Rules of Behavior
Control Familly: Planning
SPRS: N/A
Top Ten Failed Requirement: N/A
Supporting Publications:
SP 800-18 [63]
Referenced in: N/A
Control Type: N/A
CPCSC Level 2: 03.15.03
CMMC Level(s): N/A
Derived From: NIST SP 800-53r5
PL-04
a. Establish rules that describe the responsibilities and expected behavior for system usage and protecting CUI.
b. Provide rules to individuals who require access to the system.
c. Receive a documented acknowledgement from individuals indicating that they have read, understand, and agree to abide by the rules of behavior before authorizing access to CUI and the system.
d. Review and update the rules of behavior [Assignment: organization-defined frequency].
Discussion:
Rules of behavior represent a type of access agreement for system users. Organizations consider rules of behavior for the handling of CUI based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users.
Assessment Methods and Objectives
Examine [SELECT FROM: security planning policy and procedures; rules of behavior for system users; signed acknowledgements of rules of behavior; records for rules of behavior reviews and updates; system security plan; other relevant documents or records]
Interview [SELECT FROM: personnel with rules of behavior establishment, review, and update responsibilities; personnel with literacy training and awareness responsibilities; personnel with role-based training responsibilities; authorized users of the system who have signed rules of behavior; personnel with information security responsibilities]
Test [SELECT FROM: processes for establishing, reviewing, disseminating, and updating rules of behavior; mechanisms for supporting or implementing the establishment, dissemination, review, and update of rules of behavior]
NIST SP 800-171A r3 Determining Statements Determine if:
A.03.15.03.ODP[01]: the frequency at which the rules of behavior are reviewed and updated is defined.
A.03.15.03.a: rules that describe responsibilities and expected behavior for system usage and protecting CUI are established.
A.03.15.03.b: rules are provided to individuals who require access to the system.
A.03.15.03.c: a documented acknowledgement from individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received before authorizing access to CUI and the system.
A.03.15.03.d[01]: the rules of behavior are reviewed <A.03.15.03.ODP[01]: frequency>.
A.03.15.03.d[02]: the rules of behavior are updated <A.03.15.03.ODP[01]: frequency>.
The Security Requirements
NIST SP 800-171r3 (USA) & ITSP.10.171 (Canada)
3.5. Identification and Authentication
3.12. Security Assessment and Monitoring
3.13. System and Communications Protection
3.14. System and Information Integrity
3.16. System and Services Acquisition
3.17. Supply Chain Risk Management
CMMC 3.0 - N/A
CPCSC - N/A