CMMC Privacy & Security Notice Requirements
By: Omer Kaan Aslim
October 19, 2020
Learn which companies need to deploy system use notifications, what they should say, and how to deploy them.
Cybersecurity Maturity Model Certification System Use Notification Requirement
Companies seeking to earn a CMMC level 2 or higher are required to deploy system use notifications.
The required CMMC practice is AC.2.005: provide privacy and security notices consistent with applicable “Controlled Unclassified Information” (CUI) rules.
What are Privacy & Security Notices?
CMMC practice AC.2.005 originates from the NIST 800-53 control AC-8. This control requires that “system use notifications” are displayed when a user logs into a system. A system use notification is simply a message that a user reads and accepts before they log in. The goal is to let users know that they must adhere to your security policies and that their use of the system may be monitored. By logging into the system they are consenting to the stated conditions.
Privacy & Security Notice/System Use Notification Template
"You are accessing a YOUR COMPANY NAME Information System (IS) that is provided for COMPANY NAME-authorized use only. This IS may contain federal contract information and controlled unclassified information. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -COMPANY NAME routinely intercepts and monitors communications on this IS -At any time, COMPANY NAME may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any COMPANY NAME-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect COMPANY NAME interests, not for your personal benefit or privacy.”
How and Where to Deploy Privacy & Security Notices
You want to deploy your system use notification anywhere someone can log into your information system. This includes workstations, servers, cloud services (e.g., Office 365), and network devices. Not all systems will accept a large paragraph like the template above so you may need to cut out some parts.
You can deploy your system use notification to your Windows systems using group policy. If you manage your Macs using a Mac server you can deploy the login message to them or configure them individually. Office 365 allows you to have a message on the login page. Most network devices will allow you to set up a login message as well. Linux servers also allow you to create a login message .
Discover Our NIST SP 800-171 Solutions:
For contractors seeking compliance
For IT service providers
Supply Chain Verifier
For contractors seeking to verify partner compliance