Organizational Control: System Use Notification

Control ID: AC-8 System Use Notification Family: Access Control Source: NIST 800-53r4
Control: The information system:
  1. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable state and federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
    1. Users are accessing a U.S. Government information system;
    2. Information system usage may be monitored, recorded, and subject to audit;
    3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
    4. Use of the information system indicates consent to monitoring and recording;
  2. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and
  3. For publicly accessible systems:
    1. Displays system use information [Assignment: organization-defined conditions], before granting further access;
    2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
    3. Includes a description of the authorized uses of the system.
Supplemental Guidance:
System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content.

Related Controls: N/A
Control Enhancements: N/A
References: N/A
Mechanisms:
Protocol Implementation Conformance Statements: N/A