What must system-use notification banners display according to CMMC practice AC.L2-3.1.9?

The correct answer is that system-use notification banners must display information before authentication for Controlled Unclassified Information (CUI) processing. This requirement is part of the CMMC (Cybersecurity Maturity Model Certification) framework that emphasizes the importance of communicating user responsibilities and security awareness before allowing access to sensitive information.

By requiring that these notifications appear before authentication, the CMMC aims to ensure that users are adequately informed about the security policies, potential risks, and their responsibilities in handling CUI right from the start. This pre-authentication notification serves as an important reminder and a form of consent, establishing a level of awareness that helps to deter unauthorized access and improve overall security posture.

Additionally, banners providing information only after authentication, content related to user feedback, or basic security advisories do not fulfill the specific requirement outlined in CMMC practice AC.L2-3.1.9. These alternatives do not ensure that users are informed of their obligations and the nature of the data they are about to access prior to entering the system, which is critical for maintaining the security and integrity of CUI.