CMMC AC.2.005 - Provide Security Notices

CMMC AC.2.005 - Provide Security Notices

Requirement text: AC.2.005: Provide privacy and security notices consistent with applicable CUI rules.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 
System use notifications can be implemented using messages or warning banners displayed
before individuals log in to organizational systems. System use notifications are used only
for access via logon interfaces with human users and are not required when such human
interfaces do not exist. Based on a risk assessment, organizations consider whether a
secondary system use notification is needed to access applications or other system resources
after the initial network logon. Where necessary, posters or other printed materials may be
used in lieu of an automated system banner. Organizations consult with the Office of General
Counsel for legal review and approval of warning banner content.

CMMC CLARIFICATION
Every system has legal information about user privacy and security. A system-use
notification banner displays the legal requirements of using the systems. Users are required
to click to agree to the displayed requirements of using the system each time they logon to
the machine. You can use this implicit agreement in the civil and/or criminal prosecution of
an attacker that violates the terms.

Discuss legal notification requirements with your organization’s legal counsel. This will
ensure that they meet all applicable requirements. You should inform the user that:
      • you may monitor, record, and subject to audit any information system usage;
      • you prohibit unauthorized use of the information system;
      • you may subject unauthorized use to criminal and civil penalties; and
      • use of the information system indicates consent to monitoring and recording.

Example
You are setting up IT equipment for your organization. You have worked with legal counsel
to draft a notification. The system displays the required security and privacy information
when anyone logs on to your organization’s machines. You ensure that this notification
displays to all users of all of the organization’s machines.

REFERENCES
• NIST SP 800-171 Rev 1 3.1.9
• NIST SP 800-53 Rev 4 AC-8

    • Related Articles

    • CMMC AT.2.056 - Provide Security Awareness Training

      Requirement text: AT.2.056: Ensure that managers, system administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to ...

    • Security Assessment: SP 800-171 Security Family 3.12

      A security requirement assessment is the testing and/or evaluation of the management, operational, and technical security requirements on a system to determine the extent to which the requirements are implemented correctly, operating as intended, and ...

    • Personnel Security: SP 800-171 Security Family 3.9

      Users play a vital role in protecting a system as many important issues in information security involve users, designers, implementers, and managers. How these individuals interact with the system and the level of access they need to do their jobs ...

    • Access Control: SP 800-171 Security Family 3.1

      Access is the ability to make use of any system resource. Access control is the process of granting or denying requests to:       • use information,       • use information processing services, and       • enter company facilities.  System-based ...

    • CMMC AT.2.057 - Provide Role-based Security Training

      Requirement text: AT.2.057: Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Organizations determine the content and frequency of ...