Level 5 CMMC - CMMC Practices

PS.2.127  

Reference: CMMC 1.02

Family: PS

Level Introduced: 2

Practice:
Screen individuals prior to authorizing access to organizational systems containing CUI.

CMMC Clarification:
Make sure all employees who need access to CUI have the organization-defined screening before they get access. Base the types of screening on the requirements defined for that specific level of access.

Example
You are in charge of security at your organization. All individuals you hire must have proper screening before they can access CUI. Screening may include activities such as background checks and drug testing. Follow the appropriate laws, policies, regulations, and criteria for the level of access required for each position.

3.9.1

Screen individuals prior to authorizing access to organizational systems containing CUI.

Discussion:
Personnel security screening (vetting) activities involve the evaluation/assessment of individual’s conduct, integrity, judgment, loyalty, reliability, and stability (i.e., the trustworthiness of the individual) prior to authorizing access to organizational systems containing CUI. The screening activities reflect applicable federal laws, Executive Orders, directives, policies, regulations, and specific criteria established for the level of access required for assigned positions.

Source: NIST Special Publication 800-171 Rev. 2

PS-3

PERSONNEL SCREENING

Description:
The organization:
    a. Screens individuals prior to authorizing access to the information system; and
    b. Rescreens individuals according to [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening].

Supplemental Guidance:
Personnel screening and rescreening activities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Organizations may define different rescreening conditions and frequencies for personnel accessing information systems based on types of information processed, stored, or transmitted by the systems. Related controls: AC-2, IA-4, PE-2, PS-2.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02