Last Updated on January 12, 2024
The US Department of Defense (DoD) created the Cybersecurity Maturity Model Certification (CMMC) standard to better protect Controlled Unclassified Information (CUI) across its global supply chain. CMMC includes 171 practices (controls), which it organizes into 17 domains. Each practice also relates to a capability, and is associated with one of the CMMC’s five cybersecurity maturity levels.
Personnel Security (PS) is among the most straightforward of the CMMC domains. Given the prevalence and devastating potential consequences of insider threats, businesses obviously need to mitigate the risk that staff pose to data and systems. Screening potential hires in line with their roles and following commonsense procedures during staff turnover are key steps towards keeping CUI secure.
The Personnel Security domain defines just two practices, both at CMMC Level 2. This domain has two capabilities; one associated with each practice:
- Screen personnel
- Protect CUI during personnel actions
What are the CMMC Personnel Security Domain Practices?
Both Personnel Security practices are mandated starting at CMMC Level 2:
- 2.127 Screen individuals prior to authorizing access to organizational systems containing CUI.
It’s important to know if someone can be trusted before you give them authorized access to CUI. Personnel screening offers insight into a potential employee’s character, integrity, judgment, reliability and overall trustworthiness. This practice mandates that all employees who will access CUI undergo your defined screening process before they are granted access. The types of screening you specify should reflect the level of access required and the sensitivity of the data involved. Some of the screening checks you might use include criminal background checks, credit checks, drug testing, reference checks, employment history checks, etc. - 2.128 Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
This practice requires you to ensure that staff can no longer access CUI if they change jobs, leave the organization or are terminated. The procedures involved could include:- Return of company IT equipment like laptops, storage devices and cell phones
- Return of all ID/access cards, keys, passes, etc.
- Return of technical manuals or other special documentation
- Erasing all returned equipment before reusing it
- Removing/disabling access to accounts granting access to CUI
- Conducting an exit interview, including reminding the departing employee about his/her ongoing security responsibility not to discuss CUI
What is needed to comply with the CMMC Personnel Security Domain controls?
The CMMC Personnel Security domain practices are in line with most organizations’ existing pre/post employment procedures, regardless of what kind of information you need to protect. If you can’t trust the people you hire and fail to restrict their access to systems and data upon departure, your other security controls won’t mean much.
Due diligence checks before hiring someone are not overly costly or time-consuming in relation to the security and peace of mind benefits they provide. Likewise, following a sensible “exit strategy” is vital to business continuity and is even expected by departing employees. Beyond that, CMMC requires that you document your procedures and demonstrate to an assessor that you are following them.
One potential compliance challenge with the Personnel Security domain practices is that various regulations, policies and other criteria might also apply (e.g., security clearances), depending on the access level and sensitivity of the data involved. Be sure you know exactly what is required for hiring and terminating staff beyond what CMMC explicitly entails.
Need to comply with CMMC requirements? Contact Pivot Point Security to discuss your specific needs and concerns with a CMMC expert.