Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system:
a. Displays to users [FedRAMP Assignment: (L)(M)(H) see additional Requirements and Guidance] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
1. Users are accessing a U.S. Government information system;
2. Information system usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
4. Use of the information system indicates consent to monitoring and recording;
b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and
c. For publicly accessible systems:
1. Displays system use information [FedRAMP Assignment: (L)(M)(H) see additional Requirements and Guidance], before granting further access;
2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
3. Includes a description of the authorized uses of the system.
AC-8 Additional FedRAMP Requirements and Guidance: The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.
AC-8 Additional FedRAMP Requirements and Guidance: The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO.
AC-8 Additional FedRAMP Requirements and Guidance: If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.
AC-8 Additional FedRAMP Requirements and Guidance: If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.
NIST 800-53 (r4) Supplemental Guidance:
System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content.
References: None.
NIST 800-53 (r5) Discussion:
System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations consult with the privacy office for input regarding privacy messaging and the Office of the General Counsel or organizational equivalent for legal review and approval of warning banner content.
38North Guidance:
Meets Minimum Requirement:
Implement a system use notification banner for both the internal system platform/backend/components and external system applications/frontend (customer login), including the console where technically feasible. Where not technically possible, have an explanation/deviation noted in SSP as an Alternative implementation.
Banner wording needs to address:
Users are accessing a U.S. Government information system;
Information system usage may be monitored, recorded, and subject to audit;
Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
Use of the information system indicates consent to monitoring and recording;
Where text limitations exist (e.g., character limit) a shortened banner can be acceptable so long as it addresses FedRAMP controls requirements.
Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system.
For publicly accessible systems the organization defines conditions for system use to be displayed by the information system before granting further access.
The organization for publicly accessible systems displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities.
The organization for the information system includes a description of the authorized uses of the system.
Best Practice:
Notification banner on all system components that is required to be read and acknowledged before entering credentials to authenticate to the system.
The notification banner should provide a system use notification for what is permitted and what is not permitted to be performed within the FedRAMP boundary including what is monitored, audited, recorded etc.
If a warning banner can be added to the following, they should (not required/tested by 3PAO): SSH into provisioned virtual server instances (VSI); SSH into Kubernetes worker nodes; exec into containers. If access is restricted via a bastion the banner on the bastion is likely sufficient.
Unofficial FedRAMP Guidance: None.
Assessment Evidence:
Screen shots of System Use Notification or Login Banner on a sample set of system components.
Screen shots/Demo of the System Use Notification or Login Banner being acknowledged by the system administrator before being grated access to the information system component.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse