NIST Special Publication 800-171 Revision 2
Date Published: January 28th, 2021
Withdrawn on May 14, 2024. Superseded by SP 800-171 Rev. 3
Author(s): Ron Ross (NIST), Victoria Pillitteri (NIST), Kelley Dempsey (NIST), Mark Riddle (NARA), Gary Guissanie (IDA)
Note: A Class Deviation is in effect as of May 2, 2024 (DEVIATION 2024O0013). The deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. Click Here
3.1.9 Provide privacy and security notices consistent with applicable CUI rules.
Control Family: Access Control
Control Type: Derived
SPRS Value: 1
CMMC Level(s): AC.L2-3.1.9
Top Ten Failed Requirement: No
Referenced in:
DFARS 252.204-7012
Derived From: NIST SP 800-53r4
AC-8
Discussion:
System use notifications can be implemented using messages or warning banners displayed before individuals log in to organizational systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Based on a risk assessment, organizations consider whether a secondary system use notification is needed to access applications or other system resources after the initial network logon. Where necessary, posters or other printed materials may be used in lieu of an automated system banner. Organizations consult with the Office of General Counsel for legal review and approval of warning banner content.
Determining Statements (NIST SP 800-171Ar2)
Upon assessment, assessors must determine if-
3.1.9[a] privacy and security notices required by CUI-specified rules are identified,
consistent, and associated with the specific CUI category.
3.1.9[b] privacy and security notices are displayed.
Assessors are instructed to-
Examine: [SELECT FROM: Privacy and security policies, procedures addressing system use notification; documented approval of system use notification messages or banners; system audit logs and records; system design documentation; user acknowledgements of notification message or banner; system security plan; system use notification messages; system configuration settings and associated documentation; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; personnel with responsibility for providing legal advice; system developers].
Test: [SELECT FROM: Mechanisms implementing system use notification].
FURTHER DISCUSSION
Every system containing or providing access to CUI has legal requirements concerning user privacy and security notices. One method of addressing this requirement is the use of a system-use notification banner that displays the legal requirements of using the system. Users may be required to click to agree to the displayed requirements of using the system each time they log on to the machine. This agreement can be used in the civil and/or criminal prosecution of an attacker that violates the terms. The legal notification should meet all applicable requirements. At a minimum, the notice should inform the user that:
information system usage may be monitored or recorded, and is subject to audit;
unauthorized use of the information systems is prohibited;
unauthorized use is subject to criminal and civil penalties;
use of the information system affirms consent to monitoring and recording;
the information system contains CUI with specific requirements imposed by the Department of Defense; and
use of the information system may be subject to other specified requirements associated with certain types of CUI such as Export Controlled information.
Example 1
e You are setting up IT equipment including a database server that will contain CUI. You have worked with legal counsel to draft a notification. It contains both general and specific CUI security and privacy requirements [a]. The system displays the required security and privacy information before anyone logs on to your organization’s computers that contain or provide access to CUI [b].
Potential Assessment Considerations
Are objectives identified for privacy and security notices, and does the implementation satisfy the required objectives [a,b]? Discrepancies may indicate a deficient process and/or an incomplete objective for the overall requirement.
Are there any special requirements associated with the specific CUI category [a]?
Are appropriate notices displayed in areas where paper-based CUI is stored and processed [b]?
Frameworks & Controls
3.1.3: Control the flow of CUI in accordance with approved authorizations
3.1.6: Use non-privileged accounts or roles when accessing nonsecurity functions
3.1.9: Provide privacy and security notices consistent with applicable CUI rules
3.1.11: Terminate (automatically) a user session after a defined condition
3.1.13: Employ cryptographic mechanisms to protect the confidentiality of remote access sessions
3.1.14: Route remote access via managed access control points
3.1.16: Authorize wireless access prior to allowing such connections
3.1.17: Protect wireless access using authentication and encryption
3.1.19: Encrypt CUI on mobile devices and mobile computing platforms
3.1.20: Verify and control/limit connections to and use of external systems
3.1.21: Limit use of portable storage devices on external systems
3.1.22: Control CUI posted or processed on publicly accessible systems