AC.L2-3.1.9 Privacy & Security Notices

Provide privacy and security notices consistent with applicable CUI rules.

Source: NIST SP 800-171 Rev 2 3.1.9

Discussion: System use notifications can be implemented using messages or warning banners displayed before individuals log in to organizational systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Based on a risk assessment, organizations consider whether a secondary system use notification is needed to access applications or other system resources after the initial network logon. Where necessary, posters or other printed materials may be used in lieu of an automated system banner. Organizations consult with the Office of General Counsel for legal review and approval of warning banner content

Assessment Objectives:

Determine if:

• [a] privacy and security notices required by CUI-specified rules are identified, consistent, and associated with the specific CUI category; and
• [b] privacy and security notices are displayed.

Examine: [SELECT FROM: Access control policy; privacy and security policies, procedures addressing system use notification; documented approval of system use notification messages or banners; system audit logs and records; system design documentation; user acknowledgements of notification message or banner; security plan; system use notification messages; system configuration settings and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; personnel with responsibility for providing legal advice; system developers].

Test: [SELECT FROM: Mechanisms implementing system use notification].

SPRS Score: 1

POA&M Allowed: Yes