Name: Episode 8_SYSTEM USE NOTIFICATION_ (AC-8)
Uploaded: 2022-09-17 00:15:01
Duration: 9 min 39 s

Question 1

What is AC-8 System Use Notification in NIST 800-53 Rev 5?

Accepted Answer

AC-8 is the control that requires a system use notification (warning banner) to be shown to users before they’re granted access. The banner has to provide privacy and security notices and it must stay on the screen until the user explicitly acknowledges it. The whole point is to make the user accept the terms and conditions before logging in.

Question 2

What language must be included in a system use warning banner for AC-8?

Accepted Answer

At a minimum, your banner needs to communicate that the user is accessing a U.S. Government (or organizational) system, and that system usage may be monitored, recorded, and audited. It also needs to state unauthorized use is prohibited and subject to criminal/civil penalties, and that using the system indicates consent to monitoring and recording. However you write it, you have to cover those points.

Question 3

Does AC-8 require users to click “OK” or explicitly accept the banner?

Accepted Answer

Yes—AC-8 is very clear that the notification must remain until users acknowledge the conditions and take explicit action to log on or proceed. If the system just displays a banner and then automatically logs the user in, that’s not what I’m looking for in an assessment. I want to see the user actually click accept/OK before access continues.

Question 4

How do you assess or test AC-8 during an SCA or self-assessment?

Accepted Answer

I start by obtaining and examining the access control policy and procedures, and then I check the SSP to see what the organization says the banner should be. Next I request a screenshot of the warning banner and compare the language to the policy and SSP. If needed, I also ask for a live walkthrough to confirm the banner displays and requires explicit acceptance before access is granted.

Question 5

Do service accounts need a system use notification banner under AC-8?

Accepted Answer

No—notifications are used for logon interfaces with human users. If there’s no human interface, like service accounts talking to other service accounts, you don’t need a banner because there’s no person to explicitly accept it. That’s straight from the discussion and how I apply it in practice.

Question 6

What’s different about AC-8 for public-facing systems?

Accepted Answer

Publicly accessible systems can have additional requirements, including how you reference monitoring/recording/auditing in a way that fits privacy accommodations for those systems. In my experience updating banners for a public-facing system, I got called to order quickly—legal and privacy had to vet the language before it could go live. Internal-facing banners and external-facing banners are not one-size-fits-all.

Question 7

Why is a system use notification important from a security perspective?

Accepted Answer

It’s a deterrent—when a bad actor sees clear monitoring and penalty language, it can discourage unauthorized activity. It also establishes user consent and sets expectations up front. From a GRC standpoint, it’s a simple control that often fails on the “explicit acknowledgement” detail.

Episode 8_SYSTEM USE NOTIFICATION_ (AC-8)

🛍️ Products Mentioned (4)

Official NIST publications, standards, and guidance

Official KamilSec branded designs and apparel

PayPal

*Patreon & Channel Support*******

About This Video

Frequently Asked Questions

🎬 More from KamilSec