CMMC Practice PS.L2-3.9.1 – Screen Individuals: Screen individuals prior to authorizing access to organizational systems containing CUI.
Links to Publicly Available Resources
- CMMC Level 2 Assessment Guide
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2.
- Department of Agriculture – Personnel Security for Information Systems
This example directive can assist organizations that are required to meet the personnel security (PS) controls as stated in NIST SP 800-53.
- Employment Screening Services – What Employers Must Know About the FCRA
The Fair Credit Reporting Act (FCRA) governs pre-screening reports from outside agencies that creates a Consumer Report.
- Environmental Protection Agency – Personnel Security Procedures
This example EPA procedure describes how the agency meets control requirements for the NIST SP 800-53 Personnel Security control family.
- Equal Employment Opportunity Commission – Background Checks: What Employers Need to Know
This article provides an overview of how to conduct, maintain and dispose of employee background checks to improve personnel security.
- Workable – Employee Background Check Policy Sample
This Employee Background Check Policy template is ready to be tailored to your company’s needs and should be considered a starting point for setting up your employment policies.
Discussion [NIST SP 800-171 R2]
Personnel security screening (vetting) activities involve the evaluation/assessment of individual’s conduct, integrity, judgment, loyalty, reliability, and stability (i.e., the trustworthiness of the individual) prior to authorizing access to organizational systems containing CUI. The screening activities reflect applicable federal laws, Executive Orders, directives, policies, regulations, and specific criteria established for the level of access required for assigned positions.
Further Discussion
Ensure all employees who need access to CUI undergo organization-defined screening before being granted access. Base the types of screening on the requirements for a given position and role.
The effective screening of personnel provided by this practice, PS.L2-3.9.1, improves upon the effectiveness of authentication performed in IA.L1-3.5.2.