3.1.9 — The Warning Banner

The One-Liner

Every system that touches CUI needs a login banner. Users click ‘I Accept’ before they proceed. One of the easiest requirements to implement — and one of the most commonly missed.

What It Says

Provide privacy and security notices consistent with applicable CUI rules.

What It Actually Means

At every login screen, display a notice that says:

• This system contains controlled information
• Usage may be monitored and recorded
• Unauthorized use is prohibited
• By logging in, you consent to monitoring

Users must acknowledge it (click “I Accept”) before accessing the system. Work with legal counsel on the exact language. Don’t forget physical spaces — post signage where paper CUI is stored.

This notice has legal value: it can be used in prosecution if someone misuses the system.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Are required notices identified?	You know what your CUI categories legally require
2	Are notices displayed at login?	Users see them and must acknowledge before proceeding

---

What to Have Ready on Assessment Day

Documents they’ll review: Privacy and security policies, notification procedures, approved banner text, user acknowledgement records, system configuration, audit logs

People they’ll talk to: Sysadmins, information security staff, legal counsel, system developers

Live demos they’ll ask for: “Show me the login banner. Show me that users must click Accept before proceeding.”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “Are appropriate notices displayed at login?”
• “Do users have to acknowledge before proceeding?”
• “Are there special requirements for your specific CUI category?”
• “Are notices posted in areas where paper CUI is stored?”

Real-World Example

A contractor uses Entra ID Terms of Use to display a security notice at every login. The notice was drafted with legal counsel. Users must click ‘I Accept’ — no access until they do. The acceptance is logged with a timestamp. Physical areas with CUI have printed notices posted at the entrance.

---

Where Companies Trip Up

No banner at all. Systems go straight to login with no notice.

Banner but no acknowledgement. The notice displays but users can bypass it without clicking Accept.

Missing from some systems. Banner on workstations but not on VPN, cloud apps, or mobile.

Forgetting paper CUI. No signage in rooms where physical CUI documents are stored.

---

How to Talk About This

To a CEO or Board

Every system displays a security notice at login that users must acknowledge. It’s a legal protection for the company and one of the easiest CMMC requirements to satisfy.

To an Engineering Team

Entra ID Terms of Use with conditional access enforcement. GPO login banner on Windows. Signage in physical CUI areas. All acknowledgements logged.

---

Connected Requirements

Requirement	Why it matters here
3.1.10 — Lock the Screen	The lock screen should also hide information
3.1.12 — Remote Access	Remote sessions also need the banner

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: AC.L2-3.1.9 | SPRS Weight: 1 point | POA&M Eligible: Yes