PS.L2-3.9.1 Screen Individuals

CMMC Practice PS.L2-3.9.1 – Screen Individuals: Screen individuals prior to authorizing access to organizational systems containing CUI.

Links to Publicly Available Resources

Discussion [NIST SP 800-171 R2]
Personnel security screening (vetting) activities involve the evaluation/assessment of individual’s conduct, integrity, judgment, loyalty, reliability, and stability (i.e., the trustworthiness of the individual) prior to authorizing access to organizational systems containing CUI. The screening activities reflect applicable federal laws, Executive Orders, directives, policies, regulations, and specific criteria established for the level of access required for assigned positions.

Further Discussion
Ensure all employees who need access to CUI undergo organization-defined screening before being granted access. Base the types of screening on the requirements for a given position and role.
The effective screening of personnel provided by this practice, PS.L2-3.9.1, improves upon the effectiveness of authentication performed in IA.L1-3.5.2.