The requirement for displaying privacy and security notices is defined by CMMC Level 2 practice AC.L2-3.1.9, which is derived from NIST SP 800-171. The discussion for the corresponding NIST control (3.1.9) clarifies that notices must be placed on "system entry points" and "on any system component that provides user access."

A "system entry point" refers to the initial system logon. A "system component that provides user access" includes specific applications, databases, or file shares that contain CUI. Therefore, displaying the notice at both initial logon and upon accessing specific CUI-related resources is the most comprehensive and correct implementation, ensuring users are consistently aware of their responsibilities at relevant access points.

A. This is insufficient because it omits the requirement to display notices on other system components that provide user access beyond the initial logon.

C. This is overly restrictive; the notice requirement applies to all systems processing any category of CUI, not just export-controlled technical data.

D. While a persistent banner is a valid implementation method, the core requirement is about displaying notices at points of access, not necessarily continuously.

1. National Institute of Standards and Technology (NIST). (2020). Special Publication (SP) 800-171 Rev. 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Section 3.1.9, Access Control, Discussion. The text states, "Notices are placed on system entry points and on any system component that provides user access."

2. U.S. Department of Defense (DoD). (2021). Cybersecurity Maturity Model Certification (CMMC) Model Version 2.0. Practice AC.L2-3.1.9, "Provide privacy and security notices consistent with applicable CUI rules."

3. National Institute of Standards and Technology (NIST). (2020). Special Publication (SP) 800-53 Rev. 5: Security and Privacy Controls for Information Systems and Organizations. Control AC-8, System Use Notification. This foundational control specifies displaying a notice "before granting access to the system."