CMMC v2.11 Practices

AC.L2-3.1.9  

Reference: CMMC v2.11

Family: AC

Level Introduced: 2

Title: Privacy & Security Notices

Practice:
Provide privacy and security notices consistent with applicable CUI rules.

Further Discussion:
Every system containing or providing access to CUI has legal requirements concerning user privacy and security notices. One method of addressing this requirement is the use of a system-use notification banner that displays the legal requirements of using the system. Users may be required to click to agree to the displayed requirements of using the system each time they log on to the machine. This agreement can be used in the civil and/or criminal prosecution of an attacker that violates the terms.

The legal notification should meet all applicable requirements. At a minimum, the notice should inform the user that:
• information system usage may be monitored or recorded, and is subject to audit;
• unauthorized use of the information systems is prohibited;
• unauthorized use is subject to criminal and civil penalties;
• use of the information system affirms consent to monitoring and recording;
• the information system contains CUI with specific requirements imposed by the Department of Defense; and
• use of the information system may be subject to other specified requirements associated with certain types of CUI such as Export Controlled information.

Example
You are setting up IT equipment including a database server that will contain CUI. You have worked with legal counsel to draft a notification. It contains both general and specific CUI security and privacy requirements [a]. The system displays the required security and privacy information before anyone logs on to your organization’s computers that contain or provide access to CUI [b].

Potential Assessment Considerations
• Are objectives identified for privacy and security notices, and does the implementation satisfy the required objectives [a,b]? Discrepancies may indicate a deficient process and/or an incomplete objective for the overall requirement.
• Are there any special requirements associated with the specific CUI category [a]?
• Are appropriate notices displayed in areas where paper-based CUI is stored and processed [b]?

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

Source: CMMC v2.11