>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

PS-2Position Risk Designation

LI-SaaS
Low
Moderate
High

>Control Description

a

Assign a risk designation to all organizational positions;

b

Establish screening criteria for individuals filling those positions; and

c

Review and update position risk designations organization-defined frequency.

>FedRAMP Baseline Requirements

Parameter Values

c
at least annually

>Discussion

Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position.

The PDS assessment also determines if the duties and responsibilities of the position present the potential for position incumbents to bring about a material adverse effect on national security and the degree of that potential effect, which establishes the sensitivity level of a position. The results of the assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations that individuals receive when accessing organizational information and information systems.

Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations, establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions.

>Cross-Framework Mappings

SCF

HRS-02
Compare
HRS-03.2
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What is the process for assigning risk designations to organizational positions?
  • How does the organization determine appropriate screening and vetting requirements for different risk levels?
  • Who reviews and approves position risk designations?
  • How frequently are position risk designations reviewed and updated?
  • What governance exists for ensuring position categorization aligns with organizational security requirements?

Technical Implementation:

  • What systems or tools manage position risk designations?
  • How are position risk levels integrated with HR and access control systems?
  • What technical controls enforce screening requirements based on position risk?
  • How are position risk designations automatically updated when job duties change?

Evidence & Documentation:

  • Provide documentation of position risk designation criteria and methodology.
  • Provide position risk designation assignments for all positions.
  • Provide evidence of position categorization review and approval.
  • Provide records of position risk designation updates when duties change.
  • Provide documentation linking position risk levels to screening requirements.

Ask AI

Configure your API key to use AI features.