How to Comply with CMMC AC.2.005 User Policy Acceptance Rule

One of the first steps to being CMMC compliant is completing the user policy acceptance rule, A.K.A CMMC AC.2.005.

Starting a CMMC compliance journey is no easy feat. Depending on the level of CMMC you have to comply with, there are several additional steps your business will need to take. One of the first steps to being CMMC compliant is completing the user policy acceptance rule, A.K.A CMMC AC.2.005. 

What is CMMC AC.2.005?

Before we go any further, check out our blog: Understanding the CMMC 2.0 Framework to better understand what CMMC is and its purpose.

To the CMMC AC.2.005…

The CMMC AC.2.005 is a user policy document that outlines your organization’s technology regulations. Colloquially, it’s the prompt  displayed on a login screen that must be acknowledged before signing in. When users acknowledge and agree to the consent display, your organization is covered legally, holding the users accountable for any action involving the machine. The user policy acceptance rule must be confirmed before every sign in. 

User Policy Acceptance Example

While there is no “out of the box” solution for an acceptable use policy, there are a few areas that we feel are important to have. These areas are, but are not limited to:

  • Opening statement
  • Prohibited use
  • Repercussion statement
  • Reporting process
  • Closing statement

Opening Statement

Your opening statement should be brief but informational. The information provided is a quick and expedient summary of the rest of the policy. Think of a preview for a movie. By watching the preview, you get a general understanding of the film and its major components. 

Prohibited Use

Implementing a user policy acceptance rule shouldn’t be done lackadaisical. Especially this section. The prohibited use section of the policy is where you lay out precise rules for the users to follow. A couple examples of prohibited use are: 

  • Explicit content
  • Intended use of malicious behavior 
  • Promotion of violence 
  • Infringing the rights of others

Repercussion Statement

This is exactly what it sounds like. In this section, you should have a detailed clause stating the punishment issued for misuse of the machine. The severity of the punishment is dictated by the company, accompanied by necessary legal action. 

Reporting Process

Keeping your users informed of proper reporting methods is crucial to your company’s operation. Just like reporting safety violations on a jobsite, or on the factory floor, informing your users on how to report computer misconduct is vital. 

Omnis Tip: We recommend developing an anonymous submission method to encourage users to report any fraction of the company policy.

Closing Statement

Like your opener, your closing statement should be brief and to the point. As CMMC 2.0 develops over time, your company will be responsible for making changes to your policies to be in accordance with the guidelines set by the Department of Defense (DoD). Due to the frequent changes in CMMC compliance, you should have a clause stating that you reserve the right to update this policy and encourage users to re-read the prompt entirely. 


[How to] Display User Acceptance Policy for Windows

Once a complete policy has been established, the final step is to publish your policy on all computers used within your organization. To accomplish this, an interactive logon must be configured for your organization. How the interactive login is deployed is dependent on how your network is set up.

If your business is configured with a domain, utilizing group policy makes for a quick and easy deployment. On the other hand, if your business computers are local users only, you’ll configure the interactive logon manually per machine. 

Windows Server (Domain)

Before you spend countless hours going to each computer on your network, let’s take a look at setting up an interactive logon using group policy with these 4 easy steps.

  1. Opening group policy management console
  2. Creating a new group policy  
  3. Configuring the new policy
  4. Testing the policy

1. Opening Group Policy Management Console

The first step is going to be opening Group Policy Management on your domain controller (DC). The quickest way to get there is: Start > Windows Administrative Tools > Group Policy Management.

2. Creating a New Group Policy

Once you’re in the Group Policy Management console, right click on your domain in the top left navigation pane, and select “Create a GPO in this domain, and Link it here…” Now, you can name the new group policy to whatever makes sense for you so you can quickly reference it later, if you need to.

3. Configuring the New Policy 

This is the important part! Now that the server is recognizing a new group policy, we have to tell it what to do. First, we have to open the new group policy in the left navigation pane by right clicking it, and selecting Edit

Once we have the group policy editor open, we have to find the interactive logon policies. You can find these policies under: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. 

After clicking on Security Options, you will see all the different policies populate on the left side. Scroll down until you find the interactive logon section, or just click in the left pane, and simply hit the “I” key on your keyboard. 

There are 2 policies that we have to edit in order for the interactive logon to work properly. The two policies we need are:

  • Interactive Logon: Message text for users attempting to log on 
  • Interactive Logon: Message title for users attempting to log on. 

To start, right click on the first policy and select Properties. Now, type or paste in the policy message that you created for your organization, and then hit OK. Now, do the same steps for the second policy and give it an appropriate title. 

4. Testing the Policy

The last step is to test the newly created group policy. To test the new group policy, sign out of your account on the domain controller, and sign back in. Now, before you sign in, you should be greeted with your newly configured interactive logon. 

Windows Computer (Local Account)

Not every business is the same, so having the luxury of pushing out policies with group policy isn’t always possible. Luckily, most of the steps are the same, you just have to know how to get there! To find the security options for a local computer go to: Start > Control Panel > System and Security > Windows Tools > Local Security Policy. 

Once you open the Local Security Policy console, in the left navigation pane, expand Local Policies and click on Security Options. From there, copy steps 3 and 4 above to test your newly created interactive logon. 

Partnering With Professionals

Let’s face it, IT isn’t for everyone, especially when it comes to configuring a network that is CMMC compliant. 

Not being burdened with the extra workload produced by a CMMC audit might allow for a few extra hours of sleep at night. Contact us for a free CMMC consultation, and let us handle your CMMC compliance! 

Similar posts