NIST 800-53 REV 5 • PERSONNEL SECURITY
PS-8 — Personnel Sanctions
Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and Notify {{ insert: param, ps-08_odp.01 }} within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.
Supplemental Guidance
Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions.
Practitioner Notes
You must have a formal process for sanctioning (disciplining) employees who violate security policies. Without consequences, policies are just suggestions.
Example 1: Define a progressive discipline process for security violations in your personnel security policy: verbal warning for first minor offense, written warning for repeat offenses, suspension or access revocation for serious violations, and termination for egregious or intentional breaches. Document each action in the employee's file.
Example 2: Work with HR and legal to ensure security sanctions are included in your employee handbook and communicated during onboarding. When a violation occurs, document the incident, the investigation findings, and the sanction applied. Report trends to leadership quarterly so patterns (e.g., repeated phishing failures by the same team) can be addressed with targeted training.