>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

PS-7External Personnel Security

IL4 Mod
IL4 High
IL5
IL6

>Control Description

a

Establish personnel security requirements, including security roles and responsibilities for external providers;

b

Require external providers to comply with personnel security policies and procedures established by the organization;

c

Document personnel security requirements;

d

Require external providers to notify organization-defined personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within organization-defined time period; and

e

Monitor provider compliance with personnel security requirements.

>DoD Impact Level Requirements

FedRAMP Parameter Values

PS-7 (d)-1 [including access control personnel responsible for the system and/or facilities, as appropriate] PS-7 (d)-2 [terminations: immediately; transfers: within twenty-four (24) hours]

>Discussion

External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents.

External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure the appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and the nature of credentials or privileges associated with transferred or terminated individuals.

>Related Controls

AT-2
AT-3
MA-5
PE-3
PS-2
PS-3
PS-4
PS-5
PS-6
SA-5
SA-9
SA-21

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern the use of third-party personnel, including contractors and consultants?
  • How does the organization ensure third-party personnel agreements include security and privacy requirements?
  • Who is responsible for overseeing third-party personnel security?
  • What process exists for monitoring third-party personnel compliance with security requirements?
  • What governance exists for terminating third-party personnel access when contracts end?

Technical Implementation:

  • What systems manage third-party personnel identities and access?
  • How are third-party personnel distinguished from employees in technical systems?
  • What controls enforce contract-based access restrictions for third parties?
  • How are third-party access rights time-limited based on contract duration?
  • What monitoring capabilities exist specifically for third-party personnel activities?

Evidence & Documentation:

  • Provide third-party personnel security policies and procedures.
  • Provide contracts or agreements with third parties including security requirements.
  • Provide third-party personnel access records.
  • Provide evidence of third-party compliance monitoring.
  • Provide documentation of third-party access termination when contracts end.

Ask AI

Configure your API key to use AI features.