When do I need CUI banners for CMMC?

In order to answer this question, let’s examine the regulatory security requirements that may drive the need for CUI banners.  First, we will discuss electronic systems and then move on to physical.

Security requirements in CMMC are based on the security requirements contained in NIST Special Publication (SP) 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

Controlled Unclassified Information or CUI, is 

is information the Government creates or possesses, or that an entity creates or

possesses for or on behalf of the Government, that a law, regulation, or governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls. 32CFR2002 para 4(h).

Principally in 171 and CMMC this comes down to the security requirement:

AC.L2-3.1.9 Provide privacy and security notices consistent with applicable CUI rules [a] privacy and security notices required by CUI-specified rules are identified, consistent, and associated with the specific CUI category;

NIST 800-171 and the CMMC assessment guides go on in the discussion section to advise:

System use notifications can be implemented using messages or warning banners displayed before individuals log in to organizational systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Based on a risk assessment, organizations consider whether a secondary system use notification is needed to access applications or other system resources after the initial network logon. Where necessary, posters or other printed materials may be used in lieu of an automated system banner. Organizations consult with the Office of General Counsel for legal review and approval of warning banner content.

What are the CUI rules for privacy and security notices then, and where do we find them?  The principle architect and arbiter of CUI rules is the National Archives and Records Administration (NARA) not the Department of Defense (DoD).  NARA has published a CUI marking guide that speaks to these privacy and security notices.  On page 23 it has some limited guidance on marking media and equipment.  It states that media, such as USB sticks, hard drives, and CD-ROMs must be marked to indicate that those pieces of media contain CUI.  It says that equipment can be marked as well.  This does not address a requirement for a login banner or display in an operating computer system.

The NARA guide on page 27, goes on to indicate that, “Agency heads may authorize the use of alternate marking methods on IT Systems, websites, browsers, or databases through agency CUI policy.”  This is optional for Agency heads, and not mandated; however, a CUI banner on a logged in computer, and an initial login notice are provided as potential examples.

So what does the DoD say as an Agency head?  The DoD also publishes its own, subordinate, marking guide to the NARA guide.  This does not address a banner requirement however.

The DoD has written an “implementing directive” for the DoD CUI program as required under 32CFR2002.  That directive is DoDI 5200.48 Controlled Unclassified Information (CUI) dated March 6, 2020.  For DoD systems that document mandates the use of a splash screen warning and consent notice figure 3.  It does not mention CUI and is again specified as a requirement for DoD systems.

It is worth noting that “specified CUI” as stated in the base security requirement, is a special kind of CUI.  NARA’s 32CFR2002 which is the base governance document for all CUI says:

Law, regulation, or Government-wide policy may require or permit safeguarding or dissemination controls in three ways: Requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic; requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the information CUI Specified; or requiring or permitting agencies to control the information and specifying only some of those controls, which makes the information CUI Specified, but with CUI Basic controls where the authority does not specify. 32 CFR 2002.4(h)

CUI specified is CUI for which special security controls have been mandated.  In 5200.48, the DoD’s implementing directive, the DoD states, “g. During DoD’s initial phased implementation of the CUI Program, there is no required distinction that must be made between Basic and Specified CUI.”  The DoD has said formally that during the initial phases of the CUI program, they are not making a distinction between CUI basic and specified, meaning that all CUI will be protected by the security requirements of NIST SP 800-171.  As always, specific contractual requirements may still exist, and other marking requirements for information under other legal requirements separate from CUI and CMMC, such as International Trafficking in Arms Regulations, may drive further marking requirements.

As a result, there currently does not exist a hard regulatory specification for a splash screen or banner, nor is there specific guidance as to what this banner should include if it is utilized.  Based on the 171 and assessment guide text, however, most assessors expect some form of notification when accessing a system that contains CUI, and this is a common-sense policy implementation.  

We recommend the use of a Login Banner that does mention the fact that the system being logged into does contain CUI.  This is easily implemented in most cases with Microsoft Active Directory or Entra ID.  Adapting from both the NARA examples and the DoDI language specific to DoD systems, we recommend a login banner as follows:

Use of this Information System (IS) constitutes consent to monitoring and the following:

• Communications and data stored on this IS are subject to routine monitoring and may be disclosed or used for any corporate authorized purposes

• Use of this IS is restricted to authorized corporate business purposes, and not-to-interfere personal activities when authorized by company policy

• Misuse of this IS, including any attempts to disable or subvert existing technical security controls, may be subject to adverse personnel actions up to and including employment termination, and may include criminal or civil penalties.

• This IS may contain CUI and should be handled IAW corporate Policy and Federal Regulation

At a minimum, the login banner should include a mention of CUI.  A separate banner for specific databases or repositories may be a prudent security control, but should not be a CMMC assessment consideration.

Switching to signs for physical locations.  The DoD body of regulation, including NIST SP 800-171, other than the AC.L2-3.1.9 security requirement, are silent on this issue.  The NARA CUI Marking Guide page 28 says that, “In areas containing CUI, it may be necessary to alert personnel who are not authorized to access it,” and provides an example.  Given the text of the requirement, this is not mandated.  In our view, this is left up to the organizations' judgment on when the use of such signs might be appropriate.  Some assessors have stated that they feel these signs are mandated, however, that does not appear to be validated in the regulatory guidance.  Additionally, on page 29  it goes on to state, “When an agency is storing CUI, authorized holders should mark the container to indicate that it contains CUI.”  Based on the specific text it is recommended that storage containers such as filing cabinets be marked when they contain CUI.