NIST 800-171 • LEVEL 2 • PLANNING

3.15.3Rules of Behavior

Establish, document, and communicate rules of behavior for individuals with access to systems processing, storing, or transmitting Controlled Unclassified Information (CUI). Ensure individuals acknowledge those rules before receiving access.

CMMC Practice Mapping

NIST 800-53 Controls

PL-4AC-8

Assessment Objectives

  • rules of behavior for system use are established and documented.
  • rules of behavior are communicated to authorized users.
  • authorized users acknowledge rules of behavior prior to receiving or retaining access.

Practitioner Notes

Rules of behavior define acceptable use and user responsibilities. They support legal notice and accountability for misuse.

Example 1: Include prohibited actions (e.g., credential sharing, unauthorized software, unapproved data transfer) in an acceptable use standard.

Example 2: Require annual user acknowledgment through onboarding and recurring security awareness workflows.

Related NIST 800-171 Requirements

3.15.1 Policy and Procedures