03.15.03 — (a) Establish rules that describe the responsibilities and expected behavior for system usage and protecting CUI. (b) Provide rules to individuals who require access to the system. (c) Receive a documented acknowledgement from individuals indicating that they have read, understand, and agree to abide by the rules of behavior before authorizing access to CUI and the system. (d) Review and update the rules of behavior {{ insert: param, A.03.15.03.ODP.01 }}.

What this control requires

(a) Establish rules that describe the responsibilities and expected behavior for system usage and protecting CUI. (b) Provide rules to individuals who require access to the system. (c) Receive a documented acknowledgement from individuals indicating that they have read, understand, and agree to abide by the rules of behavior before authorizing access to CUI and the system. (d) Review and update the rules of behavior {{ insert: param, A.03.15.03.ODP.01 }}.

Source: NIST SP 800-171 R3 §03.15.03 (official control text).

Why this matters

Rules of behavior establish a binding agreement between the organization and each system user about acceptable use, CUI handling responsibilities, and security expectations. Without documented rules and acknowledgment, users may unintentionally violate security policies, mishandle sensitive data, or introduce risk through ignorance of organizational standards. This control creates accountability by ensuring every person with system access explicitly agrees to follow established security practices before touching CUI. When incidents occur, signed acknowledgments demonstrate that users were informed of their obligations, supporting enforcement actions and reducing organizational liability.

What evidence assessors expect

Assessors typically look for: PDF, screenshot, signed letter. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.