How to Meet NIST SP 800-171 & CMMC Personnel Security Requirements

There are two security controls from NIST SP 800-171 and CMMC level three related to personnel security.

Requirement: Screen individuals prior to authorizing access to organizational systems containing CUI.

Personnel who will be handling controlled unclassified information (CUI) should undergo a pre-screening process. This can be accomplished by requiring personnel to complete a criminal background check before they are hired or provided access to CUI. You can add other checks as necessary such as credit check, drug test, and a confirmation of their education.

There are many companies that offer background checks for a reasonable price. One of them is “GoodHire”.

Requirement: Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.

When an employee or contractors contract is terminated they no longer require access to your information system, as a result you must revoke all of their logical and physical access to the system. This includes disabling their user accounts, signing them out of any active sessions, and revoking their physical access device (e.g., keys to the facility). You must also collect all equipment provided to them including their laptop, removable storage devices, smartphones, and authentication hard token (e.g., Yubikey). You must also perform an exit interview with the terminated employee or contractor where you remind them of their non-disclosure agreement with the company.

When personnel are transferred to a new role in your organization they will likely need access to new system resources and no longer require access to resources associated with their old role. Whenever personnel transfers occur, you should review their logical and physical access requirements and adjust them to fit their new role.

You should have a well documented employee onboarding, termination, and role transfer processes.