3.15.3

Discussion

Rules of behavior represent a type of access agreement for system users. Organizations consider rules of behavior for the handling of CUI based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users.

NIST 800-171A r3 Assessment Guidance

Examine

[SELECT FROM: security planning policy and procedures; rules of behavior for system users; signed acknowledgements of rules of behavior; records for rules of behavior reviews and updates; system security plan; other relevant documents or records]
Interview

[SELECT FROM: processes for establishing, reviewing, disseminating, and updating rules of behavior; mechanisms for supporting or implementing the establishment, dissemination, review, and update of rules of behavior]
Test

[SELECT FROM: personnel with rules of behavior establishment, review, and update responsibilities; personnel with literacy training and awareness responsibilities; personnel with role-based training responsibilities; authorized users of the system who have signed rules of behavior; personnel with information security responsibilities]

ID	Assessment Objectives
A.03.15.03.a	rules that describe responsibilities and expected behavior for system usage and protecting CUI are established.
A.03.15.03.b	rules are provided to individuals who require access to the system.
A.03.15.03.c	a documented acknowledgement from individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received before authorizing access to CUI and the system.
A.03.15.03.d[01]	the rules of behavior are reviewed .
A.03.15.03.d[02]	the rules of behavior are updated .
A.03.15.03.ODP[01]	the frequency at which the rules of behavior are reviewed and updated is defined.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!