Privacy and security notice compliance for NIST 800-171 and CMMC

The Ultimate Guide to Privacy and Security Notices for NIST 800-171 and CMMC

What is a privacy and security notice? Where does it need to be displayed to meet your NIST 800-171 compliance requirements

Join our newsletter:

What is a Privacy and Security notice?

Privacy and security notices are essentially logon banners that are displayed on the screen of a system before you log into them. These notices require users to consent to an organization’s acceptable use policies and grant consent to monitoring of their activity. In relation to NIST 800-171 and CMMC it also involves acknowledging that the system they are accessing is used to process, store, or, transmit CUI.

NIST 800-171 & CMMC 2.0 Level 2 Privacy and Security Notice Requirements

Privacy and Security Notice NIST
3.1.9 Provide privacy and security notices consistent with applicable “Controlled Unclassified Information” (CUI) rules.
What does the Privacy and Security Notice Have to Say?
There isn’t a specific privacy and security notice text you have to use in your logon banners. But it should cover that activity on the system is subject to monitoring, recording, and auditing. It should also describe authorized use of the system and mention that the system processes CUI.

Example NIST 800-171 and CMMC Privacy and Security Notices

Information system usage may be monitored or recorded, and is subject to audit. The information stored on this system is not private. Unauthorized use of the information system is prohibited and may be subject to disciplinary, criminal, and civil penalties. The information system contains controlled unclassified information (CUI) with specific handling requirements imposed by the Department of Defense. By using this system, you agree to adhere to the organization's acceptable use and CUI handling policies and procedures.
If the system is incapable of displaying the required banner verbiage due to its size, a smaller banner must be used. An example is "I've read & consent to terms in IS user agreement."

Where and How Do you Display Privacy and Security Notices?

According to NIST Handbook 162 “System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist.”
As a result, any system a human can log into that processes, stores, or transmits CUI should have a logon banner stating your privacy and security notices. This includes computers, network devices, and cloud resources.
To set a logon banner for Windows computers you can use Microsoft Group Policy or Microsoft Endpoint Manager.
To set a logon banner for Microsoft 365 simply log into the Azure admin panels and navigate to the company branding page. You can even set a background image for your login page.
You can even create a logon banner on Cisco devices.

Takeaways

Identify which of your systems process, store, or transmit controlled unclassified information (CUI) and configure logon banners/messages for them. If they don’t accept your entire privacy and security notice message try to shorten it. Avoid using IT components that do not allow you to configure a logon banner as this is a NIST 800-171 and CMMC 2.0 level 2 requirement.
 

Discover Our NIST SP 800-171 & CMMC 2.0 Solutions:

 /assets/images/app/complaince_accelerator.gif

Compliance Accelerator

Power through compliance. Meet and maintain your NIST SP 800-171 & CMMC 2.0 compliance requirements.
 /assets/images/app/quantum_accelerator.gif

Quantum Assessor

Transform your business. Create new revenue streams and provide scalability for your NIST SP 800-171 and CMMC 2.0 services.
 /assets/images/app/supply_chain_verifier.gif

Supply Chain Verifier

Trust is everything. Verify, monitor, and support subcontactor compliance.