Logon banners are one of those practices that sounds trivial until you realize how many places a user can log into your environment. Your workstations have a banner, great. But what about the VPN portal? The cloud admin console? The remote desktop gateway? The assessor will check each one. This practice is easy to implement, easy to document, and easy to miss a spot. It connects to the broader AC.L2-3.1.1 access control framework and supports your monitoring story for the AU (Audit and Accountability) practices.
What the assessor is actually evaluating
The assessor is checking whether every place a user authenticates within your CUI boundary displays a notice before granting access. The notice has to cover a few standard elements: the system is for authorized use, activity is subject to monitoring, users consent to monitoring by using the system, and unauthorized use may result in consequences.
This isn’t about legal language or 500-word disclaimers. It’s about informed consent and establishing the organization’s right to monitor. The assessor wants to see that anyone logging into your systems knows the rules before they get in.
The assessor will typically walk through each authentication point: “Show me the workstation logon screen. Show me the VPN login. Show me the cloud portal.” At each one, they’re looking for the banner. If they find one without it, that’s a finding. The content of the banner matters, but completeness of coverage matters more.
One thing assessors pay attention to: the banner needs to appear before authentication, not after. If the user has to log in first and then sees a notice, that defeats the purpose. The notice is supposed to inform them before they gain access.
What a realistic SSP definition looks like
[Organization Name] displays system use notification banners on all information systems within the CUI boundary prior to granting access. The banner informs users that:
1. The system is for authorized use only.
2. System usage may be monitored, recorded, and subject to audit.
3. Unauthorized use of the system is prohibited and may result in disciplinary or legal action.
4. Use of the system constitutes consent to monitoring and recording.
The notification banner is displayed at the following authentication points: workstation logon (via Group Policy or endpoint management), VPN portal login page, cloud identity provider sign-in page (via custom branding), and any remote access gateway. Users must acknowledge the banner before authentication proceeds where technically feasible.
A few notes on that language:
It lists all four elements. Authorized use only, monitoring, consequences, consent. These are the standard components the assessor is looking for. Miss one and you’ll get a follow-up question.
It enumerates the authentication points. The assessor can look at this list and say “show me each one.” If there’s an authentication point not on this list, you have a gap. Better to list them all in the SSP and cover them all technically.
It acknowledges “where technically feasible.” Some platforms don’t support a pre-authentication banner with an acknowledgment button. For those, a displayed notice without a click-through may be the best you can do. Calling this out in the SSP shows the assessor you’ve thought about it.
How to present your evidence
- Screenshots of logon banners at each authentication point
- Group Policy or endpoint management configuration showing banner deployment
- VPN portal login page showing the notice
- Cloud identity provider custom branding showing the notice
- Banner text documented in policy or SSP
Prepare screenshots in advance. Take a screenshot of every logon screen in your CUI boundary showing the banner. Label each one: “Workstation logon,” “VPN portal,” “Cloud sign-in page.” Include these in your pre-assessment evidence package.
Be ready to show them live, too. The assessor may ask you to lock a workstation and show the logon screen. Or navigate to the VPN portal and show the login page. Having both the screenshots and the ability to demonstrate live covers you either way.
The configuration evidence matters as well. Show the Group Policy or endpoint management policy that pushes the banner to workstations. Show the cloud identity provider branding configuration where the notice text is entered. This proves the banner isn’t just on one machine; it’s deployed consistently.
Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.
Common failures
Missing from one or more authentication points. Workstations have the banner, but the VPN portal doesn't. Or the cloud sign-in page was never configured with custom branding. The assessor will check everywhere, so you need to cover everywhere.
Banner appears after authentication. The user logs in, then sees a welcome page with the notice. That's too late. The notice has to appear before credentials are entered and access is granted.
Banner content is incomplete. The banner says "authorized use only" but doesn't mention monitoring or consent. Or it mentions monitoring but not consequences. All four elements should be present.
Banner exists but isn't deployed via policy. Someone manually configured the logon message on a few machines, but there's no policy ensuring it's on all of them. New machines don't get the banner. Reimaged machines lose it. The assessor may check a machine at random.
Banner visible on every authentication point. All four content elements present. Displayed before authentication. Deployed via policy with evidence of consistent application. This is usually a quick practice if you've covered all the entry points. It only becomes a problem when something is missed.
Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.
If you use an MSP/MSSP
Your MSP probably manages the systems where banners need to be configured. They likely deployed the Group Policy, set up the cloud branding, and configured the VPN portal. The assessor may ask them to walk through the deployment.
The MSP should be prepared to show how the banner is pushed to all managed devices. If the MSP manages the cloud identity provider, they should know where the custom branding is configured and how to show it. If they manage the VPN, they should know the login page configuration.
One area that sometimes gets overlooked: the MSP’s own remote access tools. If the MSP uses a remote management tool to connect to machines in your environment, does that tool display a logon banner? If the MSP’s portal is within the CUI boundary or provides access to CUI systems, it needs coverage too. This is worth verifying before the assessment.
Assessors spot-check multiple login points. They'll log into the workstation, the VPN portal, and the cloud admin console to verify banners appear on each one. It's easy to miss a spot, so do a careful audit before the assessment. Check everywhere a user can type a password within your CUI boundary. Don't assume that if banners are on one system, they're everywhere. They need to be explicitly configured on every entry point.
Have your MSP do a quick audit of every authentication point they manage in your environment. Ask them to screenshot each one showing the banner. If any are missing, they can usually add them in minutes. The best MSSPs I've worked alongside include logon banners in their standard tenant configuration, so every customer starts with them in place. If yours doesn't have them yet, it's a quick fix.
This page covers AC.L2-3.1.9 from NIST SP 800-171 Rev 2 (3.1.9). The guidance here is based on experience in real CMMC assessments and is intended to help you prepare. It is not legal or compliance advice. Your organization’s situation is unique, and you should work with qualified professionals for formal assessment preparation.