Evidence – AC.L2-3.1.9
Provide Privacy and Security Notices
Control Overview
This document describes the evidence used to demonstrate implementation of AC.L2-3.1.9, which requires users to be provided privacy and security notices consistent with CUI handling rules.
This evidence supports the control response documented in the System Security Plan (SSP).
Evidence Objectives
Evidence for this control demonstrates that:
- Users receive a notice upon system access
- The notice communicates authorized use and monitoring expectations
- The notice is presented before or during system access
Evidence Artifacts
1. System Access Notices
Evidence demonstrating user notification may include:
- Login banners or access warnings
- System messages displayed prior to authentication
Examples of acceptable sources:
- Operating system login banners
- Cloud service access or warning notices
Evidence Retention
Evidence supporting this control is retained in accordance with organizational policy and contractual requirements and is available for review during assessment.
Notes
The notice may be implemented through system banners or access messages, provided users are informed prior to system use.