NIST 800-171 • LEVEL 2 • ACCESS CONTROL
3.1.9 — System Use Notification
System use notifications can be implemented using messages or warning banners. The messages or warning banners are displayed before individuals log in to a system that processes, stores, or transmits CUI. System use notifications are used for access via logon interfaces with human users and are not required when human interfaces do not exist. Organizations consider whether a secondary use notification is needed to access applications or other system resources after the initial network logon. Posters or other printed materials may be used in lieu of an automated system message. This requirement is related to [](#/cprt/framework/version/SP_800_171_3_0_0/home?element=03.15.03) 03.15.03.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- a system use notification message with privacy and security notices consistent with applicable CUI rules is displayed before granting access to the system.
Practitioner Notes
Before anyone logs into your systems, they need to see a warning banner. This isn't just a formality — it's a legal requirement that establishes the system is for authorized use only and that activity may be monitored. Without it, you may have trouble taking action against misuse.
Example 1: Configure the Windows logon banner via GPO at Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options. Set "Interactive logon: Message title for users attempting to log on" to "WARNING" and "Interactive logon: Message text for users attempting to log on" to your DoD-compliant warning text. The user must click OK before reaching the login screen.
Example 2: For web applications and Microsoft 365, create a Conditional Access policy in Azure AD → Security → Conditional Access → Terms of Use. Upload your use notification as a PDF. Users will be required to accept the terms before accessing any cloud resources. Set it to re-prompt annually or whenever the terms are updated.