PS-8—Personnel Sanctions
>Control Description
Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and
Notify ⚙organization-defined personnel or roles within ⚙organization-defined time period when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.
>FedRAMP Baseline Requirements
No FedRAMP-specific parameter values or requirements for this baseline.
>Discussion
Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What is the process for applying formal sanctions for personnel failing to comply with security policies?
- •How does the organization determine appropriate sanctions for different types of violations?
- •Who has authority to apply formal sanctions, and what is the decision-making process?
- •How are sanctions documented and communicated to affected personnel?
- •What governance exists for ensuring fair and consistent application of sanctions?
Technical Implementation:
- •What systems track personnel security violations and sanctions?
- •How are sanctions technically enforced (access restrictions, monitoring)?
- •What integration exists between sanction tracking and HR systems?
- •What audit trails document sanction decisions and enforcement?
Evidence & Documentation:
- •Provide personnel security sanction policies and procedures.
- •Provide sanction records for the past year (if any).
- •Provide evidence of sanction decision-making and approval.
- •Provide documentation of sanction communication to affected personnel.
- •Provide records showing consistent application of sanctions.
Ask AI
Configure your API key to use AI features.