1.  Proposed title of this feature request:

The customer would like to establish additional security requirements  to have a Security Control AC-9 for successful Logons – enhancement (2).

2. What is the nature and description of the request?

The information system needs the ability to notify the user,  to notify the user, upon successful logon (access) to the system, of the date and time of the last logon (access). For reference, the complete AC-9 control is provided below.

3. Why does the customer need this? (List the business requirements here)

To maintain an ATO (Authorize to Operate) criteria within the Government environment. Handling multiple customers should allow for a configurable item for [Assignment: organization-defined time period]. Ideally applicable of this control should be automatically derived from encoded objects describing access control policy; system configuration settings. Ideally evaluation of this control should be provided for evaluation of procedures addressing previous logon notification; system design documentation; system configuration documentation.

4. List any affected packages or components.

_________________________

AC-9(2) states:

Control Statement

Notify the user, upon successful logon, of the number of [Selection: successful logons; unsuccessful logon attempts; both] during [Assignment: organization-defined time period].

Discussion:

Information about the number of successful and unsuccessful logon attempts within a specified time period allows the user to recognize if the number and type of logon attempts are consistent with the user’s actual logon attempts.

See also https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AC-9