NIST 800-171 • LEVEL 2 • PERSONNEL SECURITY
3.9.1 — Personnel Screening
Screen individuals prior to authorizing access to the system. Rescreen individuals in accordance with {{ insert: param, A.03.09.01.ODP.01 }}.
CMMC Practice Mapping
Assessment Objectives
- individuals are screened prior to authorizing access to the system.
- individuals are rescreened in accordance with the following conditions: {{ insert: param, A.03.09.01.ODP.01 }}.
Practitioner Notes
Before anyone gets access to systems that handle CUI, you need to screen them. This is not just about government clearances — it applies to any personnel, including contractors and employees at a small business.
Example 1: Require a background check through a third-party service like Sterling, GoodHire, or HireRight before granting system access to new employees or contractors. At minimum, run a criminal history check and verify employment history. Document the screening results in the employee’s HR file and do not provision their account until the check clears.
Example 2: Define a rescreening schedule in your personnel security policy — for example, rescreen all employees with CUI access every five years, or trigger a rescreening when someone transfers to a more sensitive role. Use your HRIS system (e.g., BambooHR, ADP, or Workday) to set reminder notifications when rescreening is due.