Navigate

CCI-000048

CCI-000048 Definition

Display an organization-defined system use notification message or banner to users before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines.

Status
Type	CheckType.technical

Master Assessment Datasheet

Implementation Guidance

Determine if [AC-08_ODP[01]; system use notification message or banner to be displayed by the system to users before granting access to the system is defined] is displayed to users before granting access to the system that provides privacy and security notices consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines.

Validation Procedures

Examine: [SELECT FROM: Access control policy; privacy and security policies, procedures addressing system use notification; documented approval of system use notification messages or banners; system audit records; user acknowledgements of notification message or banner; system design documentation; system configuration settings and associated documentation; system use notification messages; system security plan; privacy plan; privacy impact assessment; privacy assessment report; other relevant documents or records]. Interview: [SELECT FROM: System/network administrators; organizational personnel with information security and privacy responsibilities; legal counsel; system developers]. Test: [SELECT FROM: Mechanisms implementing system use notification].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000048.

Control	Description
AC-8	a: Display [system use notification message or banner to be displayed by the system to users before granting access to the system is defined;] to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that: 1: Users are accessing a U.S. Government system; 2: System usage may be monitored, recorded, and subject to audit; 3: Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and 4: Use of the system indicates consent to monitoring and recording; b: Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and c: For publicly accessible systems: 1: Display system use information [conditions for system use to be displayed by the system before granting further access are defined;] , before granting further access to the publicly accessible system; 2: Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and 3: Include a description of the authorized uses of the system.

Control

Description

AC-8

a: Display [system use notification message or banner to be displayed by the system to users before granting access to the system is defined;] to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:
- 1: Users are accessing a U.S. Government system;
- 2: System usage may be monitored, recorded, and subject to audit;
- 3: Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and
- 4: Use of the system indicates consent to monitoring and recording;

b: Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and

c: For publicly accessible systems:
- 1: Display system use information [conditions for system use to be displayed by the system before granting further access are defined;] , before granting further access to the publicly accessible system;
- 2: Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
- 3: Include a description of the authorized uses of the system.