3.9.1 has a weight of -3 points
(Personnel Security Family 1/2
Screen Individuals prior to authorizing access to organizational systems containing CUI.
Video
Example of Sysytem Security Plan (SSP):
System Security Plan (SSP) – Control Identifier: 3.9.1
Control Title: Personnel Security Screening for CUI Access
Control Description: All employees must undergo personnel security screening, including federal background checks, prior to being granted access to organizational systems containing Controlled Unclassified Information (CUI). Additional screening takes place during our interview process to further assess the individual’s conduct, integrity, judgment, loyalty, reliability, and stability to determine their trustworthiness for accessing CUI.
Implementation:
-
Personnel Screening Process:
- All prospective employees must undergo a thorough personnel security screening process before being considered for access to CUI.
- The screening process, which includes federal background checks, evaluates various factors, including conduct, integrity, judgment, loyalty, reliability, and stability, in accordance with applicable federal laws, Executive Orders, directives, policies, and regulations.
-
Access Determination:
- Only individuals who have successfully passed the personnel security screening, including federal background checks, will be considered for access to organizational systems containing CUI.
- The level of access granted will align with the specific criteria established for their assigned positions and the requirements of the CUI they will be handling.
-
Mandatory Training:
- Individuals granted access to CUI are required to undergo the following mandatory training:
- Information Technology (IT) and Cybersecurity Policy Training.
- Department of Defense (DoD) CUI Training.
- Other applicable training, such as insider threat awareness and anti-phishing training.
- Job-specific training as relevant to their assigned duties.
- Individuals granted access to CUI are required to undergo the following mandatory training:
-
Continuous Monitoring:
- Individuals with access to CUI will be subject to continuous monitoring to ensure their ongoing trustworthiness and adherence to security policies and practices.
- Any deviations or concerns regarding an individual’s trustworthiness will be promptly addressed through appropriate security measures.
Example of Plan of Action and Milestones ( POA & M):
Plan of Action and Milestones (POA&M) – Control Identifier: 3.9.1
Control Title: Personnel Security Screening for CUI Access
Control Description: All employees must undergo personnel security screening, including federal background checks, prior to being granted access to organizational systems containing Controlled Unclassified Information (CUI). Additional screening takes place during our interview process to further assess the individual’s conduct, integrity, judgment, loyalty, reliability, and stability to determine their trustworthiness for accessing CUI.
Implementation Status: In Progress
Planned Implementation Date: [Insert Planned Date]
Current Date: [Insert Current Date]
Responsible Entity: [Insert Responsible Entity/Individual]
Milestone 1: Establish Personnel Screening Process
- Description: Develop and document a comprehensive personnel screening process that includes federal background checks and aligns with applicable federal laws, Executive Orders, directives, policies, and regulations.
- Planned Start Date: [Insert Planned Date]
- Planned Completion Date: [Insert Planned Date]
- Current Status: [Specify Progress]
Milestone 2: Integration of Screening in Hiring Process
- Description: Incorporate the personnel screening process into the hiring process, ensuring that all prospective employees are subject to the required security screening.
- Planned Start Date: [Insert Planned Date]
- Planned Completion Date: [Insert Planned Date]
- Current Status: [Specify Progress]
Milestone 3: Mandatory Training Implementation
- Description: Develop and implement the mandatory training program for individuals granted access to CUI, including IT and Cybersecurity Policy Training, DoD CUI Training, and other applicable training.
- Planned Start Date: [Insert Planned Date]
- Planned Completion Date: [Insert Planned Date]
- Current Status: [Specify Progress]
Milestone 4: Continuous Monitoring Mechanism
- Description: Establish a continuous monitoring system to track individuals with access to CUI to ensure their ongoing trustworthiness and compliance with security policies and practices.
- Planned Start Date: [Insert Planned Date]
- Planned Completion Date: [Insert Planned Date]
- Current Status: [Specify Progress]
Milestone 5: Addressing Deviations and Concerns
- Description: Develop and document procedures for addressing deviations or concerns regarding an individual’s trustworthiness promptly. Implement appropriate security measures as needed.
- Planned Start Date: [Insert Planned Date]
- Planned Completion Date: [Insert Planned Date]
- Current Status: [Specify Progress]
RELEVANT INFORMATION:
Personnel security screening (vetting) activities involve the evaluation/assessment of individual’s conduct, integrity, judgment, loyalty, reliability, and stability (i.e., the trustworthiness of the individual)
prior to authorizing access to organizational systems containing CUI. The screening activities reflect applicable federal laws, Executive Orders, directives, policies, regulations, and specific criteria established for the level of access required for assigned positions.
Resources to consider:
Security Policy Document:
This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.
Asset Inventory and Access Control Sheet:
Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.
User Account Management Log:
Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.
Password and Multi-Factor Authentication Policy:
Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.
Process and Script Accountability Log:
Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.
Device Access Control and VPN Policy:
Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.
Access Control Review and Monitoring Schedule:
Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.
User Training and Awareness Materials:
Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.