CMMC and NIST SP 800-171 Physical Protection

How to Meet NIST SP 800-171 & CMMC Personnel Security Requirements

Omer Aslim selfie
By: Omer Kaan Aslim
October 22, 2021
To meet CMMC and NIST SP 800-171 requirements, organizations must implement personnel security controls. What are these requirements and how can they be met?

What are the NIST SP 800-171 and CMMC Personnel Security Requirements?

There are two security controls from NIST SP 800-171 and CMMC level three related to personnel security.

NIST SP 800-171 3.9.1 and CMMC PS.2.127


Photo by Anna Shvets from Pexels

Requirement: Screen individuals prior to authorizing access to organizational systems containing CUI.

How to Meet Requirements 3.9.1 and PS.2.127

Personnel who will be handling controlled unclassified information (CUI) should undergo a pre-screening process. This can be accomplished by requiring personnel to complete a criminal background check before they are hired or provided access to CUI. You can add other checks as necessary such as credit check, drug test, and a confirmation of their education.
There are many companies that offer background checks for a reasonable price. One of them is “GoodHire”.

NIST SP 800-171 3.9.2 and CMMC PS.2.128


Photo by Anna Tarazevich from Pexels

Requirement: Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.

How to Meet Requirement 3.9.2 and PS.2.128

When an employee or contractors contract is terminated they no longer require access to your information system, as a result you must revoke all of their logical and physical access to the system. This includes disabling their user accounts, signing them out of any active sessions, and revoking their physical access device (e.g., keys to the facility). You must also collect all equipment provided to them including their laptop, removable storage devices, smartphones, and authentication hard token (e.g., Yubikey). You must also perform an exit interview with the terminated employee or contractor where you remind them of their non-disclosure agreement with the company.
When personnel are transferred to a new role in your organization they will likely need access to new system resources and no longer require access to resources associated with their old role. Whenever personnel transfers occur, you should review their logical and physical access requirements and adjust them to fit their new role.
You should have a well documented employee onboarding, termination, and role transfer processes.

Discover Our NIST SP 800-171 Solutions:


Compliance Accelerator

For contractors seeking compliance

Quantum Assessor

For IT service providers

Supply Chain Verifier

For contractors seeking to verify partner compliance