GRCWatch
Sign inStart free trial

AC.L2-3.1.9: Privacy and Security Notices (CMMC Level 2)

Privacy and security notices are a foundational component of CMMC Level 2 compliance that inform users how their data—especially Controlled Unclassified Information (CUI)—is collected, used, and protected. This control requires organizations to establish and maintain notices consistent with federal CUI rules, creating transparency and legal accountability. Failing to implement proper notices can expose your organization to compliance gaps and audit findings.

What this means

AC.L2-3.1.9 requires your organization to develop and deploy privacy and security notices that align with federal Controlled Unclassified Information (CUI) handling rules. These notices must clearly communicate to users and system subjects how their information will be handled, what security measures protect it, and their rights regarding that data. This applies across all systems, applications, and user touchpoints that process or access CUI, ensuring consistent messaging and legal compliance.

How to comply

  1. 1.Develop a comprehensive privacy notice that addresses CUI collection, use, storage, and disclosure practices in accordance with NIST SP 800-171 and federal CUI guidelines.
  2. 2.Create a security notice that explicitly states security controls in place, monitoring practices, and acceptable use policies for systems handling CUI.
  3. 3.Display notices prominently at system login screens, in application interfaces, and on any web-facing entry points where CUI may be accessed or transmitted.
  4. 4.Ensure notices are written in clear, non-technical language accessible to all user types and user roles.
  5. 5.Maintain versioning and documentation of all notice updates, including dates and reasons for changes.
  6. 6.Review and update notices annually or whenever security practices, data handling procedures, or federal CUI rules change.
  7. 7.Obtain user acknowledgment of privacy and security notices during system onboarding and when notices are updated.
  8. 8.Train personnel on the content of these notices and their role in supporting compliance objectives.

Evidence auditors look for

  • Privacy notice document detailing CUI collection purposes, authorized uses, and retention periods aligned with federal rules.
  • Security notice posted at system login explaining monitoring, acceptable use restrictions, and consequences of unauthorized access.
  • System login banners or splash screens displaying condensed privacy and security warnings before CUI access is granted.
  • User acknowledgment records or sign-off forms confirming awareness of privacy and security notice requirements.
  • Policy documentation integrating privacy and security notice requirements into your information security program.
  • Screenshots of notices as displayed in production systems, applications, and user interfaces.
  • Training attendance records or completion certificates showing personnel acknowledgment of notice content.
  • Documentation of notice review cycles, updates, and approval by compliance or security leadership.

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates the creation, deployment, and management of CUI-compliant privacy and security notices across all your systems, tracks user acknowledgments in real-time, and triggers annual review reminders to keep notices current and audit-ready.

See how GRCWatch handles this control automatically

Start free trial

Related controls

AC.L2-3.1.1 — Authorized Access ControlSI.L2-3.13.1 — System MonitoringSI.L2-3.13.3 — User AccountabilityCA.L2-3.13.11 — Security Assessment and Authorization