PL-04 Rules of Behavior
a. Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;
b. Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;
c. Review and update the rules of behavior pl-04_odp.01 ; and
d. Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge pl-04_odp.02.
| Parameter ID | Definition |
|---|---|
| pl-04_odp.01 | frequency |
| pl-04_odp.02 |
Selection (one-or-more):
|
| pl-04_odp.03 | frequency |
Baselines
- L
- M
- H
- P
Guidance
Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see PS-6 ). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in AC-8 . The related controls section provides a list of controls that are relevant to organizational rules of behavior. [PL-4b](#pl-4_smt.b) , the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons.
References 2
- OMB A-130 Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016.
- SP 800-18 Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1.
Control Enhancements 1
Related controls 19
- AC-02 Account Management L M H P
- AC-06 Least Privilege L M H P
- AC-08 System Use Notification L M H P
- AC-09 Previous Logon Notification L M H P
- AC-17 Remote Access L M H P
- AC-18 Wireless Access L M H P
- AC-19 Access Control for Mobile Devices L M H P
- AC-20 Use of External Systems L M H P
- AT-02 Literacy Training and Awareness L M H P
- AT-03 Role-based Training L M H P
- CM-11 User-installed Software L M H P
- IA-02 Identification and Authentication (Organizational Users) L M H P
- IA-04 Identifier Management L M H P
- IA-05 Authenticator Management L M H P
- MP-07 Media Use L M H P
- PS-06 Access Agreements L M H P
- PS-08 Personnel Sanctions L M H P
- SA-05 System Documentation L M H P
- SI-12 Information Management and Retention L M H P