Guidance for NIST 800-171 Assessment & Compliance
Applicable (Y)es / (N)o |
(C)onfidentiality |
(I)ntegrity |
(A)vailability |
RPN (C+I+A) |
(S)atisfactory |
||||||
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
(O)ther than satisfactory +## |
||
|
|
|
|
|
|
|
|
|
|
|
|
###
ac-8 |
system use notification |
|||
|
assessment objective: Determine if: |
|||
ac-8(a) |
ac-8(a)[1] |
the organization defines a system use notification message or banner to be displayed by the information system to users before granting access to the system; |
||
ac-8(a)[2] |
the information system displays to users the organization-defined system use notification message or banner before granting access to the information system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance, and states that: |
|||
ac-8(a)[2](1) |
users are accessing a U.S. Government information system; |
|||
ac-8(a)[2](2) |
information system usage may be monitored, recorded, and subject to audit; |
|||
ac-8(a)[2](3) |
unauthorized use of the information system is prohibited and subject to criminal and civil penalties; |
|||
ac-8(a)[2](4) |
use of the information system indicates consent to monitoring and recording; |
|||
ac-8(b) |
the information system retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; |
|||
ac-8(c) |
for publicly accessible systems: |
|||
ac-8(c)(1) |
ac-8(c)(1)[1] |
the organization defines conditions for system use to be displayed by the information system before granting further access; |
||
ac-8(c)(1)[2] |
the information system displays organization-defined conditions before granting further access; |
|||
ac-8(c)(2) |
the information system displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and |
|||
ac-8(c)(3) |
the information system includes a description of the authorized uses of the system. |
|||
potential assessment methods and objects: Examine: [select from: Access control policy; privacy and security policies, procedures addressing system use notification; documented approval of information system use notification messages or banners; information system audit records; user acknowledgements of notification message or banner; information system design documentation; information system configuration settings and associated documentation; information system use notification messages; other relevant documents or records]. Interview: [select from: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with responsibility for providing legal advice; system developers]. Test: [select from: Automated mechanisms implementing system use notification]. |
||||
