Navigate

CCI-001388

CCI-001388 Definition

For publicly accessible systems, includes a description of the authorized uses of the system.

Status
Type	CheckType.technical

Master Assessment Datasheet

Implementation Guidance

Determine if for publicly accessible systems, a description of the authorized uses of the system is included.

Validation Procedures

Examine: [SELECT FROM: Access control policy; privacy and security policies, procedures addressing system use notification; documented approval of system use notification messages or banners; system audit records; user acknowledgements of notification message or banner; system design documentation; system configuration settings and associated documentation; system use notification messages; system security plan; privacy plan; privacy impact assessment; privacy assessment report; other relevant documents or records]. Interview: [SELECT FROM: System/network administrators; organizational personnel with information security and privacy responsibilities; legal counsel; system developers]. Test: [SELECT FROM: Mechanisms implementing system use notification].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-001388.

Control	Description
AC-8	a: Display [system use notification message or banner to be displayed by the system to users before granting access to the system is defined;] to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that: 1: Users are accessing a U.S. Government system; 2: System usage may be monitored, recorded, and subject to audit; 3: Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and 4: Use of the system indicates consent to monitoring and recording; b: Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and c: For publicly accessible systems: 1: Display system use information [conditions for system use to be displayed by the system before granting further access are defined;] , before granting further access to the publicly accessible system; 2: Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and 3: Include a description of the authorized uses of the system.

Control

Description

AC-8

a: Display [system use notification message or banner to be displayed by the system to users before granting access to the system is defined;] to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:
- 1: Users are accessing a U.S. Government system;
- 2: System usage may be monitored, recorded, and subject to audit;
- 3: Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and
- 4: Use of the system indicates consent to monitoring and recording;

b: Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and

c: For publicly accessible systems:
- 1: Display system use information [conditions for system use to be displayed by the system before granting further access are defined;] , before granting further access to the publicly accessible system;
- 2: Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
- 3: Include a description of the authorized uses of the system.