3.9.1—Personnel Security - Basic
Basic Requirement
>Control Description
Screen individuals prior to authorizing access to organizational systems containing CUI.
>Discussion
Personnel security screening (vetting) activities involve the evaluation/assessment of individual's conduct, integrity, judgment, loyalty, reliability, and stability (i.e., the trustworthiness of the individual) prior to authorizing access to organizational systems containing CUI. The screening activities reflect applicable federal laws, Executive Orders, directives, policies, regulations, and specific criteria established for the level of access required for assigned positions.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern screening personnel before authorizing access to CUI?
- •What screening procedures are implemented (background checks, etc.)?
- •Who is responsible for conducting personnel screening?
- •How often is personnel screening refreshed or updated?
- •What governance ensures all personnel are properly screened?
Technical Implementation:
- •What systems track personnel screening status?
- •How do you link screening completion to system access?
- •What automated checks verify current screening status?
- •How do you prevent access for personnel without completed screening?
- •What tools manage and track background check processes?
Evidence & Documentation:
- •Can you provide personnel screening records?
- •What documentation shows background checks are completed?
- •Can you demonstrate access is contingent on screening?
- •What tracking reports verify all personnel are screened?
- •What audit evidence confirms personnel screening compliance?
Ask AI
Configure your API key to use AI features.