The Ultimate Guide to Privacy and Security Notices for NIST 800-171 and CMMC

Privacy and security notices are essentially logon banners that are displayed on the screen of a system before you log into them. These notices require users to consent to an organization’s acceptable use policies and grant consent to monitoring of their activity. In relation to NIST 800-171 and CMMC it also involves acknowledging that the system they are accessing is used to process, store, or, transmit CUI.

3.1.9 Provide privacy and security notices consistent with applicable “Controlled Unclassified Information” (CUI) rules.

What does the Privacy and Security Notice Have to Say?

There isn’t a specific privacy and security notice text you have to use in your logon banners. But it should cover that activity on the system is subject to monitoring, recording, and auditing. It should also describe authorized use of the system and mention that the system processes CUI.

Information system usage may be monitored or recorded, and is subject to audit. The information stored on this system is not private. Unauthorized use of the information system is prohibited and may be subject to disciplinary, criminal, and civil penalties. The information system contains controlled unclassified information (CUI) with specific handling requirements imposed by the Department of Defense. By using this system, you agree to adhere to the organization's acceptable use and CUI handling policies and procedures.

If the system is incapable of displaying the required banner verbiage due to its size, a smaller banner must be used. An example is "I've read & consent to terms in IS user agreement."

According to NIST Handbook 162 “System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist.”

As a result, any system a human can log into that processes, stores, or transmits CUI should have a logon banner stating your privacy and security notices. This includes computers, network devices, and cloud resources.

To set a logon banner for Windows computers you can use Microsoft Group Policy or Microsoft Endpoint Manager.

To set a logon banner for Microsoft 365 simply log into the Azure admin panels and navigate to the company branding page. You can even set a background image for your login page.

You can even create a logon banner on Cisco devices.

Identify which of your systems process, store, or transmit controlled unclassified information (CUI) and configure logon banners/messages for them. If they don’t accept your entire privacy and security notice message try to shorten it. Avoid using IT components that do not allow you to configure a logon banner as this is a NIST 800-171 and CMMC 2.0 level 2 requirement.