AC-8—System Use Notification
>Control Description
Display ⚙organization-defined system use notification message or banner to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:
Users are accessing a U.S. Government system;
System usage may be monitored, recorded, and subject to audit;
Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and
Use of the system indicates consent to monitoring and recording;
Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and
For publicly accessible systems:
Display system use information ⚙organization-defined conditions, before granting further access to the publicly accessible system;
Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
Include a description of the authorized uses of the system.
>FedRAMP Baseline Requirements
Parameter Values
Additional Requirements and Guidance
AC-8 Requirement: The service provider shall determine elements of the cloud environment that require the System Use Notification control. Requirement: The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. Requirement: If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. Guidance: If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.
>Discussion
System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist.
Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations consult with the privacy office for input regarding privacy messaging and the Office of the General Counsel or organizational equivalent for legal review and approval of warning banner content.
>Cross-Framework Mappings
>Programmatic Queries
Related Services
CLI Commands
aws ec2 describe-instance-attribute --instance-id INSTANCE_ID --attribute userDataaws ssm get-document --name AWS-ConfigureWindowsUpdate --document-format JSONaws workspaces describe-workspace-directories --query 'Directories[*].{Id:DirectoryId,Name:DirectoryName,CustomSecurity:SelfservicePermissions}'aws ssm describe-document --name SSM-SessionManagerRunShell>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What formal policies and procedures govern the implementation of AC-8 (System Use Notification)?
- •Who are the designated roles responsible for implementing, maintaining, and monitoring AC-8?
- •How frequently is the AC-8 policy reviewed and updated, and what triggers policy changes?
- •What training or awareness programs ensure personnel understand their responsibilities related to AC-8?
Technical Implementation:
- •Describe the specific technical mechanisms or controls used to enforce AC-8 requirements.
- •What automated tools, systems, or technologies are deployed to implement AC-8?
- •How is AC-8 integrated into your system architecture and overall security posture?
- •What configuration settings, parameters, or technical specifications enforce AC-8 requirements?
Evidence & Documentation:
- •What documentation demonstrates the complete implementation of AC-8?
- •What audit logs, records, reports, or monitoring data validate AC-8 compliance?
- •Can you provide evidence of periodic reviews, assessments, or testing of AC-8 effectiveness?
- •What artifacts would you present during a FedRAMP assessment to demonstrate AC-8 compliance?
Ask AI
Configure your API key to use AI features.