Skip to main content
NetStable
👤 2 Practices NIST 3.9.1 - 3.9.2

Personnel Security Policy

Personnel Security Domain (PS)

Overview Why It Matters Requirements Roles Implementation CMMC Mapping Evidence Common Gaps Template Guide

📖 What This Policy Covers

Personnel Security addresses the human element -- ensuring the people who access your CUI are trustworthy and that information is protected when their status changes. This policy covers pre-employment background checks (criminal history, employment verification, education verification, credit checks for sensitive roles), screening frequency (initial, periodic re-screening), termination procedures (account disablement, device retrieval, badge deactivation within 1 hour), role change/transfer procedures, and leave-of-absence handling. With only 2 practices, this is the smallest CMMC domain, but it's foundational.

Purpose

This policy ensures individuals are screened before receiving CUI access, CUI is protected during personnel transitions (hire, transfer, termination), and the organization can verify trustworthiness of personnel handling sensitive information.

Scope

Applies to all employees, contractors, and third-party personnel who access or may access CUI systems. Covers the full employment lifecycle from pre-hire screening through post-termination.

🎯 Why It Matters

Insider threats account for 25% of data breaches (Verizon DBIR). The period right before and after termination is the highest-risk window -- disgruntled employees may exfiltrate data. A terminated employee with active accounts is an immediate risk. Assessors specifically look for evidence that termination disables access within hours, not days, and that background checks are documented before CUI access is granted.

🔐 Key Requirements

1. Personnel Screening

PS.L2-3.9.1

Background checks before granting CUI access.

  • Background check before CUI access: criminal history, employment verification, education verification
  • Credit check for financially sensitive roles
  • Conducted by HR using approved vendor (HireRight, Sterling, Accurate)
  • Initial screening before CUI access granted
  • Periodic re-screening: every 5 years for employees, every 3 years for contractors
  • Adjudication: HR + CISO review results and approve/deny CUI access
  • Foreign nationals: additional screening if accessing DoD CUI (may require export control review)
  • Results stored in confidential HR personnel file

2. Personnel Actions

PS.L2-3.9.2

Protect CUI during termination, transfer, and leave.

  • Termination (within 1 hour of notification): IT disables all accounts (AD, Azure AD, VPN, apps), Facilities deactivates badge, IT retrieves company devices (laptop, phone, badge, keys), Manager retrieves CUI materials (documents, USB drives, printouts), IT wipes devices remotely if not retrieved, Legal reminds of NDA obligations, IT Security reviews access logs for 30 days prior
  • Transfer/role change (within 5 business days): manager submits access change, IT modifies permissions to new role, IT removes old role access, HR updates personnel file
  • Leave of absence (>30 days): accounts disabled, data retained, re-enabled after identity verification on return

👥 Roles & Responsibilities

HR Department

  • Conduct background checks using approved vendors
  • Notify IT within 24 hours of personnel status changes
  • Maintain personnel records and screening documentation
  • Coordinate termination logistics with IT and Facilities

CISO / IT Director

  • Approve CUI access after screening review
  • Review access logs for terminated employees
  • Ensure 1-hour termination SLA is met
  • Approve re-screening schedule

IT Department

  • Disable accounts within 1 hour of termination notification
  • Modify access within 5 days of role change
  • Remote wipe devices not returned
  • Verify no access post-termination

Managers

  • Notify HR immediately of any personnel actions
  • Retrieve CUI materials from departing employees
  • Submit access change requests for transfers
  • Monitor for insider threat indicators

🛠️ Implementation Roadmap (4 Weeks)

1

Screening Process

Weeks 1-2
  • Select background check vendor (HireRight, Sterling)
  • Establish screening criteria and approval workflow
  • Train HR on screening process and documentation
  • Create re-screening schedule for existing employees with CUI access
2

Termination Process

Weeks 3-4
  • Create termination checklist with 1-hour SLA
  • Integrate with HR system for automatic IT notification
  • Train managers on CUI material retrieval
  • Test termination process with mock scenario
  • Create role-change access modification workflow

Recommended Tools

HireRight / Sterling / Accurate (background checks)HR systems (BambooHR, Workday) for status notificationsAzure AD / Active Directory (account management)Microsoft Intune (remote device wipe)

📊 CMMC Practice Mapping

Practice ID Requirement Policy Section
PS.L2-3.9.1 Screen individuals before authorizing access 1
PS.L2-3.9.2 Ensure CUI protection during personnel actions 2

📋 Evidence Requirements

These are the artifacts a C3PAO assessor will ask for. Start collecting early.

Background Check Summary

Format: Excel
Frequency: Quarterly
Contents: Count of employees with CUI access, count screened, % compliant. Do NOT include individual results (keep in confidential HR files).
Tip: Show aggregate compliance rate, not individual results. Target: 100% of CUI-access personnel screened.

Completed Termination Checklists

Format: PDF
Frequency: Per termination; sample for audit
Contents: Sample of 5-10 termination checklists showing account disabled within 1 hour, devices retrieved, badge deactivated
Tip: Include timestamps showing the 1-hour SLA was met. This is a key assessor focus area.

Post-Termination Access Logs

Format: CSV
Frequency: Per termination
Contents: Log review showing terminated employees have zero access attempts after termination date
Tip: Run a report showing login attempts by terminated users. Zero attempts = controls working. Any attempts = document the block.

Screening Policy & Vendor Agreement

Format: PDF
Frequency: Annual review
Contents: Screening criteria document plus vendor contract/agreement
Tip: Include what checks are performed (criminal, employment, education, credit) and by whom.

⚠️ Common Gaps (What Assessors Flag)

1. No background checks for existing employees

Why this happens: Screening started recently. Existing employees with CUI access were never screened.
How to close the gap: Prioritize screening for employees with CUI access. Run background checks in batches. Set a deadline for 100% compliance.

2. Termination SLA not met (accounts active for days)

Why this happens: HR notifies IT late, or the process is manual and dependent on individual action.
How to close the gap: Automate HR-to-IT notification. Add account disablement to the HR termination workflow. Test quarterly with audit of recent terminations.

3. No process for contractor screening

Why this happens: Assumed the contracting company handles screening. No verification.
How to close the gap: Require screening attestation from contractor companies as part of the contract. Or conduct your own screening for contractors accessing CUI.

📝 Template Customization Guide

When filling in the downloadable template for this policy, replace these placeholders with your organization's specifics:

[COMPANY NAME]

Your organization's legal name

Example: Acme Defense Systems, LLC

[CISO Name]

Name of your CISO or HR Director

Example: Jane Smith

Customization Tips

  • 💡 Specify your exact background check vendor and what checks are included
  • 💡 Document your HR notification process (automated vs. manual) for terminations
  • 💡 If you use an HRIS system, describe how it triggers IT account disablement
  • 💡 For small organizations, the 1-hour SLA may require a direct phone call from HR to IT -- document this process

📚 Related Policies

Access Control Policy Physical Protection Policy Awareness and Training Policy
Previous
PE Policy
All Policies
Next
RA Policy