Privacy and security notices are essentially logon banners that are displayed on the screen of a system before you log into them. These notices require users to consent to an organization’s acceptable use policies and grant consent to monitoring of their activity. In relation to NIST 800-171 and CMMC it also involves acknowledging that the system they are accessing is used to process, store, or, transmit CUI.
3.1.9 Provide privacy and security notices consistent with applicable “Controlled Unclassified Information” (CUI) rules.
What does the Privacy and Security Notice Have to Say?
There isn’t a specific privacy and security notice text you have to use in your logon banners. But it should cover that activity on the system is subject to monitoring, recording, and auditing. It should also describe authorized use of the system and mention that the system processes CUI.
Example NIST 800-171 and CMMC Privacy and Security Notices
Information system usage may be monitored or recorded, and is subject to audit. The information stored on this system is not private. Unauthorized use of the information system is prohibited and may be subject to disciplinary, criminal, and civil penalties. The information system contains controlled unclassified information (CUI) with specific handling requirements imposed by the Department of Defense. By using this system, you agree to adhere to the organization's acceptable use and CUI handling policies and procedures.
If the system is incapable of displaying the required banner verbiage due to its size, a smaller banner must be used. An example is "I've read & consent to terms in IS user agreement."
Where and How Do you Display Privacy and Security Notices?
According to NIST Handbook 162 “System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist.”
As a result, any system a human can log into that processes, stores, or transmits CUI should have a logon banner stating your privacy and security notices. This includes computers, network devices, and cloud resources.
Identify which of your systems process, store, or transmit controlled unclassified information (CUI) and configure logon banners/messages for them. If they don’t accept your entire privacy and security notice message try to shorten it. Avoid using IT components that do not allow you to configure a logon banner as this is a NIST 800-171 and CMMC 2.0 level 2 requirement.
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
NIST SP 800-171 & CMMC Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.