Acceptable Use Policy (AUP)

An Acceptable Use Policy (AUP) defines the rules and guidelines for how employees and other users may use organizational IT resources — computers, networks, email, internet access, and data. It establishes what's permitted, what's prohibited, and the consequences of policy violations.

A well-written AUP covers topics like appropriate use of company equipment, email and internet usage guidelines, social media policies, handling of sensitive data, password requirements, removable media restrictions, and requirements for reporting security incidents.

Why It Matters

An AUP supports multiple CMMC requirements by establishing documented rules of behavior for system users. Assessors expect to see that users acknowledge and agree to acceptable use policies before being granted system access.