CMMC Requirement PS.L3-3.9.2E – Adverse Information: Ensure that organizational systems are protected if adverse information develops or is obtained about individuals with access to CUI.
Links to Publicly Available Resources
Control 06: Access Control Management, outlines the criticality, procedures and tools, and safeguards for controlling user access, including terminating accounts and continuous monitoring of account access. This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 3. This web page provides information on threat detection, common threat indicators, the importance of early detection and insider threat prevention best practices. Also included, are steps an organization can follow to help detect insider threats to avoid a cybersecurity breach or limit the possible damage (i.e. revoking access). This fact sheet identifies to strategies that can be established during an employees work lifecycle including screening/hiring for potential negative indicators that could impact an individual’s ability to safeguard CUI, continuous monitoring and training, and post-employment/termination actions including access control. This document provides resources on how to build a successful insider threat mitigation plan, detecting, identifying, assessing, and managing insider threats This website provides information on how to manage security clearances to include incident reports and revocation.
If adverse information develops or is obtained about an individual with access to CUI which calls into question whether the individual should have continued access to systems containing CUI, actions are taken (e.g., preclude or limit further access by the individual, audit actions taken by the individual) to protect the CUI while the adverse information is resolved.
Further Discussion
According to Defense Counterintelligence and Security Agency, or DCSA (Industrial Security Letter ISL 2011-04, revised July 15, 2020), adverse information consists of any information that negatively reflects the integrity or character of an individual. This pertains to an individual’s ability to safeguard sensitive information, such as CUI. Adverse information may simply be a report showing someone has sent sensitive information outside the organization or used unapproved software, against company policy. An organization may receive adverse information about an individual through police reports, reported violations of company policies (including social media posts that directly violate company policies), and revocation or suspension of DoD clearance.
When adverse information is identified about a given individual, the organization should take action to validate that information resources accessible by the individual have been identified and appropriate protection mechanisms are in place to safeguard information and system configurations. Based on organizational policy, an individual’s access to resources may be more closely monitored or restricted until further review. Logs should be examined to identify any attempt to perform unauthorized actions.