How to Meet AC.L2-3.1.9

Requirement

AC.L2-3.1.9 – Provide privacy and security notices consistent with applicable “Controlled Unclassified Information” (CUI) rules.

This control comes from NIST SP 800-171 REV.2 / CMMC 2.0 Level 2.

Understanding the Requirement

This control requires you to display a privacy/security notice before any user logs into a system that provides access to CUI. The notice must be consistent across your environment, clearly linked to the specific CUI category if special rules apply, and prominently displayed so users acknowledge it prior to access. In short: identify where CUI can be accessed, craft a compliant banner, and ensure it appears everywhere a user can log in.

Policies and Procedures Needed

Create a System Use Notification Policy that defines the approved banner text, where it must appear (workstations, servers, remote access, cloud/SaaS, and administrative consoles), and how often it is reviewed. Document procedures for implementing the banner on each platform, adding it to new systems during onboarding, and removing or updating it during offboarding or system decommissioning. Include responsibilities (system/network administrators and security staff), change control for any banner text edits, evidence collection (screenshots and configuration exports), and a quarterly review to verify coverage across all CUI-relevant systems and to align notices with any CUI category-specific requirements.

Technical Implementation

• Inventory CUI access points: List every place users can access CUI, including Windows/macOS/Linux endpoints, servers, VDI, SSH/RDP, VPN/zero trust gateways, and cloud apps (e.g., Microsoft 365, Google Workspace, major SaaS tied to CUI). Prioritize interactive logins and any externally accessible portals.
• Standardize approved banner text: Adopt a single, approved message that covers consent to monitoring, prohibition on unauthorized use, and CUI-specific requirements. Example text you can use: “Information system usage may be monitored or recorded and is subject to audit. The use of this information system affirms consent to monitoring and recording. Unauthorized use of the information systems is prohibited and subject to criminal and civil penalties. This system contains CUI with specific requirements imposed by the Department of Defense and may be subject to additional requirements associated with certain types of CUI such as Export Controlled information.” If applicable, tailor a variant for systems handling specific CUI categories and reference that category by name.
• Implement banners across platforms:
  • Windows: Use Group Policy to set “Interactive logon: Message title/text” for all domain-joined systems (workstations and servers).
  • macOS: Push a pre-login banner via MDM (e.g., login window text or lock screen message).
  • Linux/UNIX: Configure /etc/issue and /etc/motd (and, if used, Pluggable Authentication Modules) to present the banner for local console and SSH.
  • Remote access: Configure VPN and bastion/zero trust portals to display a click-through notice before authentication.
  • Cloud/SSO: Configure your identity provider sign-in message or Terms of Use so users must review/accept before accessing Microsoft 365 and other SaaS used for CUI.
• Make it unavoidable and auditable: Require users to acknowledge (OK/Accept) where possible and prevent bypass. For services that cannot show a banner, force access through an SSO portal that provides the notice. Retain acceptance logs where the platform supports it.
• Cover administrative and shared interfaces: Ensure the banner is also on hypervisors, management consoles, backups, jump servers, and any system admins use to reach CUI resources. For non-interactive service accounts, document why a banner is not applicable.
• Verify and keep evidence: Test on each platform, capture screenshots of the banner at login, export relevant configuration settings, and store these in your compliance repository. Re-verify quarterly and whenever you add new systems or change CUI categories.

Example in a Small or Medium Business

A 90-person engineering firm handles CUI related to defense projects in SharePoint Online and on a small set of Windows servers. The IT manager creates an approved system use notice that includes consent to monitoring and a reference to Export Controlled CUI. System administrators push the banner to all Windows endpoints via Group Policy and to servers through the same GPO. They configure the company’s VPN portal to display a click-through notice before users can authenticate. For Microsoft 365, they add an Azure AD sign-in message so employees see the banner before reaching SharePoint or Teams. Linux build servers used by engineers are updated with the banner in /etc/issue and SSH login messages. Finally, the team documents screenshots, exports the GPO setting, and saves VPN and Azure AD configurations, then schedules a quarterly review to confirm the banner appears everywhere CUI is accessible.

Summary

Meeting AC.L2-3.1.9 comes down to knowing where users can reach CUI, publishing a consistent and CUI-appropriate system use notice, and ensuring it appears—and is acknowledged—before access on every relevant system. A clear policy and simple technical standards (GPO, MDM, SSH banners, VPN/SSO notices) make deployment repeatable across endpoints, servers, remote access, and cloud services. Routine verification with screenshots, configuration exports, and periodic reviews provides the evidence you need and keeps coverage current as your environment evolves.