AC.2.005

Control Acronym

AC

Family

Access Control

CMMC Level

2

800-171 Control #

3.1.9

CMMC Description

Provide privacy and security notices consistent with applicable CUI rules.

CMMC Clarification

Every system has legal information about user privacy and security. A system-use notification banner displays the legal requirements of using the systems. Users are required to click to agree to the displayed requirements of using the system each time they logon to the machine. You can use this implicit agreement in the civil and/or criminal prosecution of an attacker that violates the terms. Discuss legal notification requirements with your organization’s legal counsel. This will ensure that they meet all applicable requirements. You should inform the user that: * you may monitor, record, and subject to audit any information system usage * you prohibit unauthorized use of the information system * you may subject unauthorized use to criminal and civil penalties * use of the information system indicates consent to monitoring and recording. Example You are setting up IT equipment for your organization. You have worked with legal counsel to draft a notification. The system displays the required security and privacy information when anyone logs on to your organization’s machines. You ensure that this notification displays to all users of all of the organization’s machines.

800-171 Description

Provide privacy and security notices consistent with applicable CUI rules.

800-171 Discussion

System use notifications can be implemented using messages or warning banners displayed before individuals log in to organizational systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Based on a risk assessment, organizations consider whether a secondary system use notification is needed to access applications or other system resources after the initial network logon. Where necessary, posters or other printed materials may be used in lieu of an automated system banner. Organizations consult with the Office of General Counsel for legal review and approval of warning banner content.

Other Source Discussion

N/A

CIS Control References

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 AC-8

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.1.9

Applicable FAR Clause

NIST CSF Control Reference

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

Assessment Sub-Criteria 1

AC.2.005.[a] privacy and security notices required by CUI-specified rules are identified, consistent, and associated with the specific CUI category; and

Assessment Sub-Criteria 2

AC.2.005.[b] privacy and security notices are displayed.

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15