Skip to main content
NetStable
Level 2 AC.L2-3.1.9

Provide privacy and security notices consistent with applicable CUI rules

What It Means Why It Matters How to Implement Evidence SSP Guidance Assessment Common Mistakes

📖 What This Means

This practice requires organizations to clearly inform users about privacy and security policies when handling Controlled Unclassified Information (CUI). It means posting visible notices that explain: 1) What CUI is being collected/processed, 2) How it's protected, and 3) User responsibilities. For example, when employees log into a system containing defense contract data, they should see a banner warning about CUI handling rules. Another example: contractors accessing a shared drive with technical drawings should receive a pop-up notice about export control restrictions before accessing files. The key is making these notices unavoidable and understandable.

🎯 Why It Matters

Without proper notices, users may mishandle sensitive data without realizing it. The DoD found 62% of CUI breaches in 2022 involved accidental misuse by authorized personnel. One defense contractor faced a $1.8M penalty when an engineer shared blueprints with a foreign national, claiming they 'didn't see any warnings.' CUI notices serve three critical purposes: 1) They create legal accountability, 2) They raise awareness of handling requirements, and 3) They demonstrate compliance effort to auditors. The CMMC perspective treats this as foundational - you can't enforce rules people don't know exist.

How to Implement

  1. 1. Configure Azure Information Protection labels for CUI documents
  2. 2. Set up AWS S3 bucket policies that display access warnings
  3. 3. Implement Okta login banners for cloud applications
  4. 4. Use Microsoft Purview to tag and label CUI data
  5. 5. Configure Google Workspace alert banners for CUI-containing drives
⏱️
Estimated Effort
2-3 days for initial implementation (Mid-level IT skills), 1 hour/month maintenance

📋 Evidence Examples

Login Banner Screenshot

Format: PNG/JPG with timestamp
Frequency: Annual or after policy changes
Contents: Clear CUI notice text matching DoD requirements
Collection: Screen capture during access attempt

CUI Handling Policy

Format: PDF with version control
Frequency: Review quarterly
Contents: Specific sections about notice requirements
Collection: Policy management system

User Acknowledgment Logs

Format: CSV/Excel
Frequency: Monthly
Contents: User ID, timestamp, notice version
Collection: HR system exports

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For AC.L2-3.1.9 ("Provide privacy and security notices consistent with applicable CUI rules"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe how access to CUI systems is controlled, including the specific IAM tools, policies, and processes used. Reference your Access Control Policy and identify the systems in scope. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"AC.L2-3.1.9 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to provide privacy and security notices consistent with applicable cui rules. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"AC.L2-3.1.9 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to provide privacy and security notices consistent with applicable cui rules. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"AC.L2-3.1.9 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

  • Identify all access points to CUI systems (VPN, direct network, cloud portals)
  • Document which IAM system manages access (Azure AD, AWS IAM, on-prem AD)
  • Map user roles to system access levels
  • Ensure this control covers all systems within your defined CUI boundary where provide privacy and security notices consistent with applicable cui rules applies
  • Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

  • 📄 Access Control Policy
  • 📄 IAM configuration documentation
  • 📄 Access request and approval records
  • 📄 Evidence artifacts specific to AC.L2-3.1.9
  • 📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will verify that access controls are implemented as described, test whether unauthorized users are blocked, and review access logs for evidence of enforcement.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do all systems storing/processing CUI display access notices?

✅ YES → Proceed to Q2
❌ NO → GAP: Implement login banners within 30 days using Group Policy or cloud equivalent
Remediation:
Technical implementation guide provided

Question 2: Are notices reviewed annually for regulatory updates?

✅ YES → Proceed to Q3
❌ NO → GAP: Schedule policy review within 2 weeks
Remediation:
Calendar reminder system setup

Question 3: Can you produce evidence of user acknowledgments?

✅ YES → Compliant
❌ NO → GAP: Implement acknowledgment system within 45 days
Remediation:
HRIS integration recommended

⚠️ Common Mistakes (What Auditors Flag)

1. Using generic notices without CUI-specific language

Why this happens: Copy-pasting standard IT policies
How to avoid: Use DoD-provided CUI notice templates

2. Failing to update notices after contract changes

Why this happens: Lack of change management process
How to avoid: Integrate with contract onboarding workflows

3. No record of user acknowledgments

Why this happens: Assuming displayed notices are sufficient
How to avoid: Implement mandatory click-through for sensitive systems

📚 Parent Policy

This practice is governed by the Access Control Policy

View AC Policy →

📚 Related Controls

AC.L2-3.1.1 (Account Management) AC.L2-3.1.2 (Control External Connections) PM.L2-3.12.4 (Policy Reviews)
Previous
AC.L2-3.1.8
Back to AC
Next
AT.L2-3.2.1