Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
a. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;
b. Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;
c. Reviews and updates the rules of behavior [FedRAMP Assignment: (L)(M) at least every 3 years; (H) annually]; and
d. Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised/updated.
NIST 800-53 (r4) Supplemental Guidance:
This control enhancement applies to organizational users. Organizations consider rules of behavior based on individual user roles and responsibilities, differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users including, for example, individuals who simply receive data/information from federal information systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for both organizational and non-organizational users can also be established in AC-8, System Use Notification. PL-4 b. (the signed acknowledgment portion of this control) may be satisfied by the security awareness training and role-based security training programs conducted by organizations if such training includes rules of behavior. Organizations can use electronic signatures for acknowledging rules of behavior. Related controls: AC-2, AC-6, AC-8, AC-9, AC-17, AC-18, AC-19, AC-20, AT-2, AT-3, CM-11, IA-2, IA-4, IA-5, MP-7, PS-6, PS-8, SA-5.
References: NIST Special Publication 800-18.
NIST 800-53 (r5) Discussion:
Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see PS-6). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in AC-8. The related controls section provides a list of controls that are relevant to organizational rules of behavior. PL-4b, the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons.
38North Guidance:
Meets Minimum Requirement:
There is a rules of behavior document that describes the responsibilities and expected behavior of all privileged and non-privileged users with regard to information and information system usage
Rules of behavior requires a signed acknowledgement
There is a procedure to require the rules of behavior is signed before being granted access to the information system
Rules of behavior document is signed by all privileged and non-privileged users of the information system
Rules of behavior is easily accessible to privileged and non-privileged users
There is a version history and procedures to ensure that the document is reviewed and updated, as necessary, every 3 years for a Low or Moderate system, or annually for a High system
There is a procedure requiring the rules of behavior be resigned when a new updated version is finalized
Best Practice:
Leverage FedRAMP Rules of Behavior Template. https://www.fedramp.gov/assets/resources/templates/SSP-A05-FedRAMP-RoB-Template.docx
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Copy of Rules of Behavior document
Information/Screenshot of where the rules of behavior is maintained so that it is readily available to all users
List of privileged and non-privileged users of the Information system
Rules of Behavior document signed by all privileged and non-privileged users
Version History showing frequency of review and update to the document
If there have been updates, latest version of signed document by all privileged and non-privileged users
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse