NIST 800-53 REV 5 • PERSONNEL SECURITY
PS-3 — Personnel Screening
Screen individuals prior to authorizing access to the system; and Rescreen individuals in accordance with {{ insert: param, ps-3_prm_1 }}.
Supplemental Guidance
Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems.
Practitioner Notes
Everyone who will have access to your information systems must be screened (background checked) before they get access. The depth of the screening should match the risk level of their position.
Example 1: For low-risk positions, run a basic criminal background check and verify employment history. For moderate-risk positions, add a credit check and reference checks. For high-risk positions or those requiring access to classified information, initiate an investigation through the Defense Counterintelligence and Security Agency (DCSA).
Example 2: Use a background check provider like Sterling, HireRight, or GoodHire integrated with your HR system. Set up rules so that when HR creates a new hire record, the system automatically triggers the appropriate level of screening based on the position risk designation. No screening result, no system access.