Access Control 3.1.9 (3.1.9)

Provide privacy and security notices consistent with applicable CUI rules.

Get Full Guidance

What Is This CMMC Control?

Organizations must display appropriate privacy and security notices to users before they access systems containing CUI. These notices inform users of their responsibilities, acceptable use policies, monitoring practices, and legal consequences of misuse. The notices must be consistent with applicable CUI handling rules and are typically displayed as login banners, posters, or other visible warnings.

Control Intent

To ensure users are informed of their security and privacy responsibilities, monitoring practices, and legal obligations before accessing systems that process, store, or transmit CUI.

Who This Control Applies To

  • All systems that process, store, or transmit CUI
  • All user-facing login interfaces for CUI systems
  • Physical access points to facilities housing CUI systems
  • Remote access portals and VPN gateways
  • Application-level access points after initial network logon (when risk assessment indicates)

Not Applicable When

  • System interfaces have no human user interaction (API-to-API, automated processes)
  • Systems do not process, store, or transmit CUI
  • Machine-to-machine authentication without human login

Key Objectives

  • 1Users are notified of security and privacy policies before accessing systems containing CUI
  • 2Users acknowledge their responsibilities and consent to monitoring when accessing CUI systems
  • 3Legal and regulatory requirements for user notification are satisfied before system access is granted

Sample Self-Assessment Questions (Partial)

Do you display a security notice or banner when users log into systems that handle CUI?

What does your login banner or security notice say to users?

Implementation Approaches (High-Level)

Automated Login Banner

Display a security notice banner on all system login screens that users must acknowledge before authentication completes

Physical Security Notices

Post printed security notices in physical locations where users access CUI systems, such as offices, data centers, or secure facilities

Application-Level Secondary Notices

Display additional security notices when users access specific applications or data repositories containing CUI after initial network authentication

Remote Access and VPN Banners

Implement security notices specifically for remote access methods including VPN, remote desktop, and cloud-based access portals

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If security notices are missing or incomplete, create a POA&M with milestone to develop legally reviewed notice content within 30 days If notices are not displayed on all access methods, create POA&M to implement banners on remaining systems within 60-90 days based on system count If legal review has not been completed, create POA&M with milestone to obtain legal approval within 30 days If risk assessment for secondary notices has not been performed, create POA&M to complete assessment within 60 days If user acknowledgment is not logged, create POA&M to implement logging within 90 days If physical notices are needed but not posted, create POA&M to design, print, and post notices within 45 days Compensating controls: Documented user training on security policies, signed acceptable use agreements, enhanced monitoring until banners are implemented POA&M should specify which systems or access methods lack proper notices and prioritize based on CUI sensitivity Include testing and verification milestones to ensure notices display correctly and cannot be bypassed Consider phased implementation starting with highest-risk or most-used access methods

Related CMMC Controls

3.1.13.1.23.3.13.3.23.4.23.5.13.5.23.11.13.12.13.12.4

Frequently Asked Questions

What must be included in a security notice for CUI systems?

Security notices should inform users that the system contains CUI, describe monitoring practices, state that use constitutes consent to monitoring, define authorized use, warn of consequences for unauthorized use or mishandling of CUI, and reference applicable policies. The specific content must be reviewed and approved by legal counsel to ensure it meets organizational and regulatory requirements.

Do we need security notices on every system or just at the network perimeter?

At minimum, security notices are required at initial logon interfaces where users authenticate to access CUI systems. Based on a risk assessment, organizations may determine that secondary notices are needed when accessing specific applications or data repositories containing CUI after initial network logon. The risk assessment should consider CUI sensitivity, user population, and access patterns.

Can we use the same security notice for all our systems?

You can use consistent notice content across systems, but the notice must be appropriate for all contexts where it is displayed. The notice should address CUI-specific requirements and be general enough to apply to all systems. However, you may need customized notices for specific applications or access methods if they have unique CUI handling requirements or legal considerations.

How is this control verified during a CMMC assessment?

Assessors will request to see security notices from multiple access methods (web portals, VPN, workstations, etc.) and verify that users must acknowledge them before gaining access. They will review documentation showing legal approval of notice content and risk assessments justifying where notices are implemented. Assessors may also test whether notices can be bypassed and review logs of user acknowledgments.

What if we use single sign-on (SSO) or federated authentication?

Security notices should still be displayed before or during the authentication process, even with SSO or federated authentication. The notice can be implemented at the identity provider level so users see it once per session, or at individual application levels based on your risk assessment. Ensure the notice is displayed before access to CUI is granted, regardless of the authentication method.

Do we need to log every time a user acknowledges the security notice?

While not explicitly required by this control, logging user acknowledgment is a best practice and may be required by other controls or organizational policies. Logging provides evidence that users were presented with and acknowledged the notice, which can be important for legal and compliance purposes. At minimum, you should be able to demonstrate that the notice is displayed and cannot be bypassed.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.