PL-4—Rules Of Behaviour

PBMM (P1)

Secret (P1)

Management

>Control Description

(A) The organization establishes and makes readily available to individuals requiring access to the information system the rules that describe their responsibilities and expected behaviour with regard to information and information system usage. (B) The organization receives a signed acknowledgment from such individuals, indicating that they have read, understood, and agreed to abide by the rules of behaviour, before authorizing access to information and the information system. (C) The organization reviews and updates the rules of behaviour ⚙organization-defined frequency. (D) The organization requires individuals who have signed a previous version of the rules of behaviour to read and resign when the rules of behaviour are revised/updated.

>Supplemental Guidance

This control enhancement applies to organizational users. Organizations consider rules of behaviour based on individual user roles and responsibilities, differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behaviour for some types of non-organizational users including, for example, individuals who simply receive data/information from federal information systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems.

Rules of behaviour for both organizational and non-organizational users can also be established in AC-8, System Use Notification. PL-4 b. (the signed acknowledgment portion of this control) may be satisfied by the security awareness training and role-based security training programs conducted by organizations if such training includes rules of behaviour. Organizations can use electronic signatures for acknowledging rules of behaviour.

Related controls: AC-2, AC-6, AC-8, AC-9, AC-17, AC-18, AC-19, AC-20, AT-2, AT-3, CM-11, IA-2, IA-4, IA-5, MP-7, PS-6, PS-8, SA-5

Ask AI

Configure your API key to use AI features.