NIST 800-53 REV 5 • PLANNING
PL-4 — Rules of Behavior
Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy; Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system; Review and update the rules of behavior {{ insert: param, pl-04_odp.01 }} ; and Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge {{ insert: param, pl-04_odp.02 }}.
Supplemental Guidance
Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see [PS-6](#ps-6) ). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in [AC-8](#ac-8) . The related controls section provides a list of controls that are relevant to organizational rules of behavior. [PL-4b](#pl-4_smt.b) , the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons.
Practitioner Notes
Rules of behavior define what users can and cannot do on your systems — acceptable use, security responsibilities, and consequences for violations. Every user must read and acknowledge these rules before getting access.
Example 1: Write an Acceptable Use Policy (AUP) that covers: authorized use of company systems, personal use limits, social media restrictions, data handling requirements, password responsibilities, and consequences for violations. Have all employees sign it during onboarding and re-sign annually.
Example 2: Implement a logon banner using GPO (Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Security Options → Interactive logon: Message text/title for users attempting to log on) that displays a summary of rules of behavior and requires acknowledgment before access is granted.