Privacy and security notice compliance for NIST 800-171 and CMMC

The Ultimate Guide to Privacy and Security Notices for NIST 800-171 and CMMC

What is a privacy and security notice? Where does it need to be displayed to meet your NIST 800-171 compliance requirements

Join our newsletter:

What is a Privacy and Security notice?

Privacy and security notices are essentially logon banners that are displayed on the screen of a system before you log into them. These notices require users to consent to an organization’s acceptable use policies and grant consent to monitoring of their activity. In relation to NIST 800-171 and CMMC it also involves acknowledging that the system they are accessing is used to process, store, or, transmit CUI.

NIST 800-171 & CMMC 2.0 Level 2 Privacy and Security Notice Requirements

Privacy and Security Notice NIST
3.1.9 Provide privacy and security notices consistent with applicable “Controlled Unclassified Information” (CUI) rules.
What does the Privacy and Security Notice Have to Say?
There isn’t a specific privacy and security notice text you have to use in your logon banners. But it should cover that activity on the system is subject to monitoring, recording, and auditing. It should also describe authorized use of the system and mention that the system processes CUI.

Example NIST 800-171 and CMMC Privacy and Security Notices

Information system usage may be monitored or recorded, and is subject to audit. The information stored on this system is not private. Unauthorized use of the information system is prohibited and may be subject to disciplinary, criminal, and civil penalties. The information system contains controlled unclassified information (CUI) with specific handling requirements imposed by the Department of Defense. By using this system, you agree to adhere to the organization's acceptable use and CUI handling policies and procedures.
If the system is incapable of displaying the required banner verbiage due to its size, a smaller banner must be used. An example is "I've read & consent to terms in IS user agreement."

Where and How Do you Display Privacy and Security Notices?

According to NIST Handbook 162 “System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist.”
As a result, any system a human can log into that processes, stores, or transmits CUI should have a logon banner stating your privacy and security notices. This includes computers, network devices, and cloud resources.
To set a logon banner for Windows computers you can use Microsoft Group Policy or Microsoft Endpoint Manager.
To set a logon banner for Microsoft 365 simply log into the Azure admin panels and navigate to the company branding page. You can even set a background image for your login page.
You can even create a logon banner on Cisco devices.


Identify which of your systems process, store, or transmit controlled unclassified information (CUI) and configure logon banners/messages for them. If they don’t accept your entire privacy and security notice message try to shorten it. Avoid using IT components that do not allow you to configure a logon banner as this is a NIST 800-171 and CMMC 2.0 level 2 requirement.

Quick & Simple

Discover Our Cybersecurity Compliance Solutions:

Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you

 NIST SP 800-171 & CMMC Compliance App

NIST SP 800-171 & CMMC Compliance

Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
 HIPAA Compliance App

HIPAA Compliance

Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
 FAR 52.204-21 Compliance App

FAR 52.204-21 Compliance

Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
 ISO 27001 Compliance App

ISO 27001 Compliance

Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.