STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← All Controls

PL-4

PlanningRev 5organization

Rules of Behavior

Baselines:LowModerateHighPrivacy

Control Statement

a. Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy; b. Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system; c. Review and update the rules of behavior [Assignment: frequency] ; and d. Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge [Selection: organization-defined value].

Supplemental Guidance

Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see [PS-6](#ps-6) ). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in [AC-8](#ac-8) . The related controls section provides a list of controls that are relevant to organizational rules of behavior. [PL-4b](#pl-4_smt.b) , the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons.

Related Controls (19)

AC-2AC-6AC-8AC-9AC-17AC-18AC-19AC-20AT-2AT-3CM-11IA-2IA-4IA-5MP-7PS-6PS-8SA-5SI-12

CCI Identifiers (12)

CCI-000593Receive a documented acknowledgement from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system.CCI-000592Establish the rules that describe their responsibilities and expected behavior, for information and system usage, for individuals requiring access to the system.CCI-004284Establish the rules describing the responsibilities and expected behavior, for security, for individuals requiring access to the system.CCI-004285Establish the rules describing the responsibilities and expected behavior, for privacy, for individuals requiring access to the system.CCI-004286Provide the rules describing the responsibilities and expected behavior, for information and system usage, for individuals requiring access to the system.CCI-004287Provide the rules describing the responsibilities and expected behavior, for security, for individuals requiring access to the system.CCI-004288Provide the rules describing the responsibilities and expected behavior, for privacy, for individuals requiring access to the system.

Linked STIG Checks (0)

No STIG checks reference this control.

CCI-004289
Defines the frequency individuals are required to read and re-acknowledge the rules of behavior whenever the rules are revised or updated.
CCI-001639The organization makes readily available to individuals requiring access to the information system the rules that describe their responsibilities and expected behavior with regard to information and information system usage.
CCI-003068Review and update the rules of behavior in accordance with organization-defined frequency.
CCI-003069Defines the frequency with which to review and update the rules of behavior.
CCI-003070Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge, on an organization-defined frequency, and/or when the rules of behavior are revised or updated.