- Ignyte CMMC Specialist
NIST 800-171 | PERSONNEL SECURITY
These requirements go hand-in-hand with the physical protection family of requirements. It can most likely be conducted by the same team member such as the FSO.
The easiest way to implement this control is by placing a privacy screen on all the desktops within your company. If you want to help your employees ask them to purchase a similar screen for their mobile phones.
The requirement also ensures that after a person has been released of employment, that they turn in their badge and be removed from the physically secured area where CUI, ITARs and similar data is managed.
Personnel Security
3.9.1 Screen individuals prior to authorizing access to information systems containing CUI.
Personnel screening activities reflect
Applicable Federal Laws
Executive Orders
Directives
Policies
Regulations
Specific criteria established for the level of access required for assigned positions
3.9.2 Ensure that CUI and information systems containing CUI are protected during and after personnel actions such as terminations and transfers.
System-related property:
Hardware authentication tokens
Identification cards
System administration technical manuals
Keys
Building passes
Exit interviews ensure that individuals who have been terminated understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property.
Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment.
Organizations define the CUI protections appropriate for the types of reassignments or transfers, whether permanent or extended.
Protections that may be required for transfers or reassignments to other positions within organizations include:
Returning old and issuing new keys
Identification cards, and building passes
Closing system accounts and establishing new accounts
Changing system access authorizations
Providing for access to official records to which individuals had access at previous work locations and in previous system accounts.