AC-8: System Use Notification
An OSCAL Control
Statement
-
-
1.
Users are accessing a U.S. Government system;
-
2.
System usage may be monitored, recorded, and subject to audit;
-
3.
Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and
-
4.
Use of the system indicates consent to monitoring and recording;
-
-
b.
Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and
-
c.
For publicly accessible systems:
-
2.
Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
-
3.
Include a description of the authorized uses of the system.
-
-
Requirement:
The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.
-
Requirement:
The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO.
-
Requirement:
If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO.
-
Guidance:
If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.
-