NIST Special Publication 800-171 Revision 2
Date Published: January 28th, 2021
Withdrawn on May 14, 2024. Superseded by SP 800-171 Rev. 3
Author(s): Ron Ross (NIST), Victoria Pillitteri (NIST), Kelley Dempsey (NIST), Mark Riddle (NARA), Gary Guissanie (IDA)
Note: A Class Deviation is in effect as of May 2, 2024 (DEVIATION 2024O0013). The deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. Click Here
AC-3.1.9 Provide privacy and security notices consistent with applicable CUI rules.
Control Family: Access Control
Control Type: Derived
SPRS Value: 1
CMMC Level(s):
AC.L2-3.1.9
Top Ten Failed Requirement:
No
Referenced in:
DFARS 252.204-7012
Derived From: NIST SP 800-53r4
AC-8
Discussion:
System use notifications can be implemented using messages or warning banners displayed before individuals log in to organizational systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Based on a risk assessment, organizations consider whether a secondary system use notification is needed to access applications or other system resources after the initial network logon. Where necessary, posters or other printed materials may be used in lieu of an automated system banner. Organizations consult with the Office of General Counsel for legal review and approval of warning banner content.
Determining Statements (NIST SP 800-171Ar2)
Upon assessment, assessors must determine if-
3.1.9[a] privacy and security notices required by CUI-specified rules are identified,
consistent, and associated with the specific CUI category.
3.1.9[b] privacy and security notices are displayed.
Assessors are instructed to-
Examine: [SELECT FROM: Privacy and security policies, procedures addressing system use notification; documented approval of system use notification messages or banners; system audit logs and records; system design documentation; user acknowledgements of notification message or banner; system security plan; system use notification messages; system configuration settings and associated documentation; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; personnel with responsibility for providing legal advice; system developers].
Test: [SELECT FROM: Mechanisms implementing system use notification].
Potential Solutions Based on Staffing
1-10 FTE |
10-49 FTE |
50-249 FTE |
250-999 FTE |
1000+ FTE |
|---|---|---|---|---|
| ComplianceForge NCP | ComplianceForge NCP | ComplianceForge NCP | ComplianceForge NCP | ComplianceForge NCP |
| CUISupply.com | CUISupply.com | ComplianceForge CDPP | ComplianceForge CDPP | ComplianceForge CDPP |
| CUISupply.com | CUISupply.com | CUISupply.com |