CMMC Practice PS.L2-3.9.1 – Screen Individuals: Screen individuals prior to authorizing access to organizational systems containing CUI.
Links to Publicly Available Resources
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. This example directive can assist organizations that are required to meet the personnel security (PS) controls as stated in NIST SP 800-53. The Fair Credit Reporting Act (FCRA) governs pre-screening reports from outside agencies that creates a Consumer Report. This example EPA procedure describes how the agency meets control requirements for the NIST SP 800-53 Personnel Security control family. This article provides an overview of how to conduct, maintain and dispose of employee background checks to improve personnel security. This Employee Background Check Policy template is ready to be tailored to your company’s needs and should be considered a starting point for setting up your employment policies.
Discussion [NIST SP 800-171 R2]
Personnel security screening (vetting) activities involve the evaluation/assessment of individual’s conduct, integrity, judgment, loyalty, reliability, and stability (i.e., the trustworthiness of the individual) prior to authorizing access to organizational systems containing CUI. The screening activities reflect applicable federal laws, Executive Orders, directives, policies, regulations, and specific criteria established for the level of access required for assigned positions.
Further Discussion
Ensure all employees who need access to CUI undergo organization-defined screening before being granted access. Base the types of screening on the requirements for a given position and role.
The effective screening of personnel provided by this practice, PS.L2-3.9.1, improves upon the effectiveness of authentication performed in IA.L1-3.5.2.