CMMC Practice Number: PS.L2-3.9.1
CMMC Level: 2 CMMC Domain: Personnel Security (PS)
Practice Summary:
Screen individuals prior to authorizing access to organizational systems containing CUI.
Contents:
CMMC Practice Implementation |
Assessment Objectives
Determine if:
[a] individuals are screened prior to authorizing access to organizational systems containing CUI.
Practice Clarification (DOD, CMU)
Ensure all employees who need access to CUI undergo organization-defined screening before being granted access [a]. Base the types of screening on the requirements for a given position and role.
The effective screening of personnel provided by this practice, PS.L2-3.9.1, improves upon the effectiveness of authentication performed in IA.L1-3.5.2.
Example
You are in charge of security at your organization. You complete standard criminal background and credit checks of all individuals you hire before they can access CUI [a]. Your screening program follows appropriate laws, policies, regulations, and criteria for the level of access required for each position.
Potential Assessment Considerations
• Are appropriate background checks completed prior granting access to organizational systems containing CUI [a]?
Where To Look
- Personnel security policy;
- procedures addressing personnel screening;
- records of screened personnel;
- system security plan;
- other relevant documents or records.
Who To Talk To
- Personnel with personnel security responsibilities;
- personnel with information security responsibilities.
Perform Test On
- Organizational processes for personnel screening.
Additional Information
Personnel screening and rescreening activities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance.
Companies may define different rescreening conditions and frequencies for personnel accessing information systems based on types of information processed, stored, or transmitted by the systems.
CMMC Practice Background and References (DOD, CMU) |
Practice Discussion:
DISCUSSION FROM SOURCE: NIST SP 800-171 R2
Personnel security screening (vetting) activities involve the evaluation/assessment of individual’s conduct, integrity, judgment, loyalty, reliability, and stability (i.e., the trustworthiness of the individual) prior to authorizing access to organizational systems containing CUI. The screening activities reflect applicable federal laws, Executive Orders, directives, policies, regulations, and specific criteria established for the level of access required for assigned positions.
CMMC References:
· NIST SP 800-171 Rev 1 3.9.1
· CERT RMM v1.2 HRM:SG2.SP1
· NIST SP 800-53 Rev 4 PS-3