NIST 800-53 r5 · Controls catalogue · Family AC
AC-8System Use Notification
Display {{ insert: param, ac-08_odp.01 }} to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that: Users are accessing a U.S. Government system; System usage may be monitored, recorded, and subject to audit; Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and Use of the system indicates consent to monitoring and recording; Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and For publicly accessible systems: Display system use information {{ insert: param, ac-08_odp.02 }} , before granting further access to the publicly accessible system; Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and Include a description of the authorized uses of the system.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (1)
- T1199 Trusted Relationship Initial Access
Weaknesses this control addresses (3)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-284 | Improper Access Control | 4,832 | Requiring explicit acknowledgment of the notification before granting access enforces a mandatory step in the access process, reducing the ability to exploit improper access control weaknesses. |
CWE-285 | Improper Authorization | 1,230 | Mandating user acknowledgment of usage conditions prior to access strengthens authorization by ensuring consent is obtained as part of the decision to grant entry. |
CWE-425 | Direct Request ('Forced Browsing') | 255 | Displaying the notification before further access on public systems prevents direct resource requests from bypassing the required system use terms and consent. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||