Screen individuals prior to authorizing access to systems containing CUI
📖 What This Means
This control requires organizations to vet individuals before granting them access to systems handling Controlled Unclassified Information (CUI). Screening ensures only trustworthy personnel can access sensitive data. It typically involves background checks, employment history verification, and reference checks. For example, a defense contractor must verify a new IT admin's criminal record before allowing them to manage servers storing CUI. Another example: a subcontractor's employees must pass basic employment verification before accessing CUI in shared cloud systems. The goal is to prevent insider threats and unauthorized access.
🎯 Why It Matters
Failing to screen personnel risks insider threats, data leaks, and compliance violations. A 2022 Verizon DBIR report found that 22% of breaches involved internal actors. In one case, an unscreened employee at a defense supplier stole CUI and sold it to foreign entities, costing the company $2.3M in fines. The DoD mandates this control because CUI requires protection from both external and internal threats. Proper screening reduces risks of espionage, sabotage, and accidental exposure by ensuring only vetted individuals handle sensitive data.
✅ How to Implement
- 1. Integrate HR systems with IAM (e.g., Azure AD or AWS IAM) to enforce access only after screening completion
- 2. Configure conditional access policies requiring 'employment verified' attribute for CUI systems
- 3. Use AWS/Azure Privileged Identity Management (PIM) to require screening documentation for elevated roles
- 4. Automate screening reminders with Microsoft 365 Retention Labels or AWS WorkMail
- 5. Store background check results in encrypted cloud storage (e.g., S3 buckets with KMS) linked to employee records
📋 Evidence Examples
Screening Policy Document
Completed Background Check Report
Access Control List with Screening Status
Signed Acceptable Use Policy
Screening Exception Log
📝 SSP Guidance
Use this guidance when writing the System Security Plan (SSP) narrative for this control.
How to Write the SSP Narrative
For PS.L2-3.9.1 ("Screen individuals prior to authorizing access to systems containing CUI"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe your personnel security program, including background check requirements, screening frequency, and procedures for protecting CUI during personnel actions (hiring, transfer, termination). Be specific -- name your actual products, settings, and responsible personnel.
Example SSP Narratives
"PS.L2-3.9.1 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to screen individuals prior to authorizing access to systems containing cui. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."
"PS.L2-3.9.1 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to screen individuals prior to authorizing access to systems containing cui. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."
"PS.L2-3.9.1 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."
System Boundary Considerations
- • Identify all personnel categories with CUI access
- • Document the screening process and vendor
- • Specify termination SLAs for account disablement
- • Ensure this control covers all systems within your defined CUI boundary where screen individuals prior to authorizing access to systems containing cui applies
- • Document any systems where this control is not applicable and explain why
Key Documentation to Reference in SSP
- 📄 Personnel Security Policy
- 📄 Background check summary (aggregate, not individual)
- 📄 Termination checklists
- 📄 HR-IT notification process documentation
- 📄 Evidence artifacts specific to PS.L2-3.9.1
- 📄 POA&M entry if control is not fully implemented
What the Assessor Looks For
The assessor will verify that all CUI-access personnel have been screened, test the termination process timeline (accounts disabled within 1 hour), and review sample termination checklists.
💬 Self-Assessment Questions
Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.
Question 1: Do you have a written policy defining required screening procedures for CUI access?
Question 2: Are background checks completed for 100% of personnel with CUI access?
Question 3: Is screening status verified before provisioning access in IAM systems?
Question 4: Are screening records retained for at least 3 years after employment ends?
Question 5: Do you conduct annual audits comparing CUI access lists against screening records?
⚠️ Common Mistakes (What Auditors Flag)
1. Assuming subcontractor employees are screened by their employer
2. Keeping only 'pass/fail' results without detailed reports
3. Not screening temporary/contract workers
4. Manual processes causing delays in access revocation
5. No documentation for screening exceptions
📚 Parent Policy
This practice is governed by the Personnel Security Policy