Skip to main content
Greypike's CMMC Knowledge Base

Welcome to the CMMC Knowledgebase. Search for CMMC, resources, tools, sources, sites, and platforms using the search box below.
We add more to the database weekly, check back often.

If you cannot find an answer then contact us or click the chat button on the lower right..

< All Topics
Print

Personnel Security (PS)

CMMC Personnel Security (PS) Requirements

Personnel Security contains only 2 CMMC Level 2 requirements, but these controls address one of the most critical security factors: people. These controls ensure that individuals accessing Controlled Unclassified Information are trustworthy and that access is properly managed when employment ends.

Personnel Security means screening individuals before granting access to sensitive information and managing that access throughout and beyond their employment.

People are both your greatest asset and your greatest risk. Insider threats—whether malicious or accidental—cause significant security incidents. Personnel Security controls help manage this human element.

Why Personnel Security Matters for CMMC

The Department of Defense requires Personnel Security because CUI protection depends on the trustworthiness of people who access it.

CUI stands for Controlled Unclassified Information—sensitive government data requiring protection but not classified as secret.

Personnel-related risks include:

  • Employees with undisclosed criminal histories accessing sensitive data
  • Disgruntled employees stealing or sabotaging information
  • Former employees retaining access after departure
  • Contractors or temporary workers with insufficient vetting
  • Accidental disclosure by careless personnel

Technology controls cannot fully compensate for untrustworthy personnel. People with legitimate access can bypass technical controls.

The 2 Personnel Security Requirements

PS.L2-3.9.1: Screen Individuals

“Screen individuals prior to authorizing access to organizational systems containing CUI.”

Before granting anyone access to CUI systems, verify their suitability:

Background Screening

Conduct appropriate background checks before access authorization:

  • Criminal history check
  • Employment verification
  • Education verification (when relevant)
  • Reference checks
  • Credit check (for positions with financial responsibility)

The depth of screening should match the sensitivity of access. Positions with greater CUI access warrant more thorough screening.

Who Requires Screening

Screen all individuals before CUI access, including:

  • Full-time employees
  • Part-time employees
  • Contractors and consultants
  • Temporary workers
  • Interns
  • Vendors with system access

Do not grant CUI access until screening completes satisfactorily.

Screening Considerations

Determine what screening findings disqualify access:

  • Recent criminal activity related to theft, fraud, or computer crimes
  • Falsification of application information
  • Concerning patterns in employment history
  • Failed reference checks

Document your screening criteria and apply them consistently.

Rescreening

Consider periodic rescreening for personnel with ongoing CUI access:

  • Conduct rescreening at defined intervals (annually or biannually)
  • Rescreen when personnel transfer to more sensitive positions
  • Investigate concerns that arise during employment

PS.L2-3.9.2: Personnel Actions

“Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.”

When employment status changes, protect CUI accordingly:

Terminations

When employees leave the organization:

Immediate Actions:

  • Disable system access immediately upon termination
  • Collect all access credentials, badges, and keys
  • Retrieve company-owned devices (laptops, phones, tokens)
  • Collect any CUI materials in the employee’s possession
  • Disable remote access capabilities

Within 24 Hours:

  • Verify all access has been revoked
  • Change shared passwords or credentials the employee knew
  • Review and transfer ownership of files and accounts
  • Update access lists and distribution groups

For Involuntary Terminations:

  • Consider immediate access termination before notification
  • Escort employee to collect personal belongings
  • Monitor for unusual activity prior to termination if concerns exist

Transfers

When employees change positions within the organization:

  • Review whether current access is still appropriate
  • Remove access no longer needed for new role
  • Add access required for new responsibilities
  • Update documentation to reflect new access levels
  • Apply need-to-know principles to the transfer

Resignations

Employees who resign require the same access management as terminations:

  • Determine appropriate access level during notice period
  • Consider immediate access removal for sensitive positions
  • Complete full access termination on departure date
  • Conduct exit interview covering security obligations

Contractors and Temporary Workers

Apply equivalent controls when contracts end or temporary assignments complete:

  • Track contract end dates
  • Terminate access promptly when engagement ends
  • Retrieve any materials or equipment provided
  • Document access termination

Implementing Personnel Security

Establish Screening Procedures

Create documented screening processes:

  • Define screening requirements for each access level
  • Identify approved background check providers
  • Establish screening criteria and disqualifying factors
  • Document the process for handling adverse findings
  • Maintain confidentiality of screening results

Integrate with HR Processes

Personnel security should integrate with human resources:

  • Include screening in hiring workflows
  • Build termination checklists including IT access
  • Create transfer procedures including access review
  • Ensure HR communicates personnel changes to IT promptly

Create Termination Checklists

Develop comprehensive checklists for employee departures:

IT and Security Items:

  • Disable Active Directory/network account
  • Disable email access
  • Disable VPN and remote access
  • Disable badge/physical access
  • Collect laptop and mobile devices
  • Collect security tokens or smart cards
  • Disable cloud service access
  • Remove from distribution lists
  • Transfer file and mailbox ownership
  • Review for CUI materials to collect

Timing Considerations:

  • Voluntary departure: Execute on last day
  • Involuntary departure: Execute immediately
  • Sensitive positions: Consider immediate execution

Document Everything

Maintain records of personnel security activities:

  • Screening results (with appropriate confidentiality)
  • Access authorization dates
  • Access changes during employment
  • Termination actions taken
  • Equipment and materials returned

Coordinate with Management

Managers must communicate personnel changes:

  • Immediate notification of terminations
  • Advance notice of planned departures when possible
  • Notification of transfers affecting access needs
  • Communication of any security concerns about personnel

Special Considerations

Contractors and Subcontractors

External personnel require equivalent controls:

  • Include screening requirements in contracts
  • Require notification when contractor personnel change
  • Verify contractor screening meets your standards
  • Track contractor access and terminate promptly when engagements end

Remote Workers

Remote employees require the same personnel security:

  • Apply standard screening regardless of work location
  • Plan for equipment retrieval upon termination
  • Consider shipping arrangements for remote equipment return
  • Verify remote access termination

Temporary Access

Short-term access for auditors, vendors, or visitors:

  • Apply appropriate screening based on access level
  • Use temporary credentials that expire automatically
  • Document temporary access granted
  • Verify access terminates as planned

Common Personnel Security Mistakes

Mistake 1: Skipping Contractor Screening

Contractors often access the same CUI as employees. Apply equivalent screening requirements.

Mistake 2: Delayed Access Termination

Waiting days or weeks to disable departed employee access creates risk. Terminate access immediately upon departure.

Mistake 3: No Transfer Reviews

Employees who transfer accumulate access over time. Review and adjust access with each position change.

Mistake 4: Forgetting Shared Credentials

Departed employees may know shared passwords or system credentials. Change shared credentials when employees leave.

Mistake 5: Incomplete Equipment Return

Laptops, phones, and USB drives in former employee possession may contain CUI. Track and retrieve all equipment.

Key Takeaways

Personnel Security’s 2 requirements address the human element of CUI protection. Screen individuals before granting access, and manage access carefully when employment status changes.

Build screening into your hiring process and termination procedures into your departure process. Integrate personnel security with HR workflows to ensure changes are communicated and access is managed promptly.

People with CUI access must be trustworthy, and access must end when employment ends.


Related Articles:

Official Sources: This article is based on NIST SP 800-171 Revision 2 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” specifically the Personnel Security family (Section 3.9), and the DoD CMMC Level 2 Assessment Guide.


Need help implementing personnel security for CMMC compliance? Contact Greypike for expert guidance on Level 1 and Level 2 certification, or get started with Obolix to streamline your compliance journey.

Table of Contents