>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

PL-4Rules of Behavior

IL4 Mod
IL4 High
IL5
IL6

>Control Description

a

Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;

b

Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;

c

Review and update the rules of behavior organization-defined frequency; and

d

Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge [Selection (one or more): organization-defined frequency; when the rules are revised or updated].

>DoD Impact Level Requirements

FedRAMP Parameter Values

PL-4 (c) [at least annually] PL-4 (d) [at least annually and when the rules are revised or changed]

>Discussion

Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see PS-6). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users.

Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in AC-8. The related controls section provides a list of controls that are relevant to organizational rules of behavior.

PL-4b, the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons.

>Related Controls

AC-2
AC-6
AC-8
AC-9
AC-17
AC-18
AC-19
AC-20
AT-2
AT-3
CM-11
IA-2
IA-4
IA-5
MP-7
PS-6
PS-8
SA-5
SI-12

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What is the process for establishing and documenting rules of behavior for information system users?
  • How does the organization ensure rules of behavior are consistent with applicable laws, policies, and regulations?
  • Who reviews and approves rules of behavior, and how frequently are they updated?
  • What is the process for obtaining signed acknowledgment from users before granting access?
  • How are rules of behavior communicated and enforced across the organization?

Technical Implementation:

  • How are rules of behavior technically presented to users (banners, portals, access agreements)?
  • What systems capture and store user acknowledgment of rules of behavior?
  • How are users prevented from accessing systems without acknowledging rules of behavior?
  • What mechanisms track which version of rules of behavior each user has acknowledged?
  • How are updated rules of behavior re-presented to existing users?

Evidence & Documentation:

  • Provide the current rules of behavior document for information system users.
  • Provide evidence of user acknowledgment (signed forms, electronic acceptance records).
  • Provide documentation of rules of behavior review and update process.
  • Provide records showing rules of behavior dissemination to new users.
  • Provide evidence that access is prevented until rules of behavior are acknowledged.

Ask AI

Configure your API key to use AI features.