Welcome to the CMMC Knowledgebase. Search for CMMC, resources, tools, sources, sites, and platforms using the search box below.
We add more to the database weekly, check back often.
If you cannot find an answer then contact us or click the chat button on the lower right..
-
Artificial Intelligence (AI)
-
CMMC Fundamentals
-
CMMC Levels & Requirements
-
The 14 Control Families
- Access Control (AC)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Configuration Management (CM)
- Identification and Authentication (IA)
- CMMC Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Risk Assessment (RA)
- Security Assessment (CA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
-
Implementation Roadmaps
-
Industry-Specific Guides
-
CMMC Documentation & Evidence
-
SPRS & Self-Assessment
-
CMMC Costs & Budgeting
-
Technology & Tools
-
CMMC Training & Awareness
-
Policies & Procedures
- How to Submit Your SPRS Score: PIEE Step-by-Step Guide [2026 Update]
- CMMC Policies and Procedures: What Documentation You Need
- How to Write a System Security Plan: The Owner's Guide to the One Document That Gates Everything
- Creating a Plan of Action and Milestones for CMMC
- Documenting Evidence for CMMC Assessment
-
Supply Chain & Third-Party Risk
-
Incident Response & Breach Reporting
-
Common Mistakes & Failures
-
Advanced Topics & Level 2
-
Updates & Regulatory Changes
Personnel Security (PS)
CMMC Personnel Security (PS) Requirements
Personnel Security contains only 2 CMMC Level 2 requirements, but these controls address one of the most critical security factors: people. These controls ensure that individuals accessing Controlled Unclassified Information are trustworthy and that access is properly managed when employment ends.
Personnel Security means screening individuals before granting access to sensitive information and managing that access throughout and beyond their employment.
People are both your greatest asset and your greatest risk. Insider threats—whether malicious or accidental—cause significant security incidents. Personnel Security controls help manage this human element.
Why Personnel Security Matters for CMMC
The Department of Defense requires Personnel Security because CUI protection depends on the trustworthiness of people who access it.
CUI stands for Controlled Unclassified Information—sensitive government data requiring protection but not classified as secret.
Personnel-related risks include:
- Employees with undisclosed criminal histories accessing sensitive data
- Disgruntled employees stealing or sabotaging information
- Former employees retaining access after departure
- Contractors or temporary workers with insufficient vetting
- Accidental disclosure by careless personnel
Technology controls cannot fully compensate for untrustworthy personnel. People with legitimate access can bypass technical controls.
The 2 Personnel Security Requirements
PS.L2-3.9.1: Screen Individuals
“Screen individuals prior to authorizing access to organizational systems containing CUI.”
Before granting anyone access to CUI systems, verify their suitability:
Background Screening
Conduct appropriate background checks before access authorization:
- Criminal history check
- Employment verification
- Education verification (when relevant)
- Reference checks
- Credit check (for positions with financial responsibility)
The depth of screening should match the sensitivity of access. Positions with greater CUI access warrant more thorough screening.
Who Requires Screening
Screen all individuals before CUI access, including:
- Full-time employees
- Part-time employees
- Contractors and consultants
- Temporary workers
- Interns
- Vendors with system access
Do not grant CUI access until screening completes satisfactorily.
Screening Considerations
Determine what screening findings disqualify access:
- Recent criminal activity related to theft, fraud, or computer crimes
- Falsification of application information
- Concerning patterns in employment history
- Failed reference checks
Document your screening criteria and apply them consistently.
Rescreening
Consider periodic rescreening for personnel with ongoing CUI access:
- Conduct rescreening at defined intervals (annually or biannually)
- Rescreen when personnel transfer to more sensitive positions
- Investigate concerns that arise during employment
PS.L2-3.9.2: Personnel Actions
“Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.”
When employment status changes, protect CUI accordingly:
Terminations
When employees leave the organization:
Immediate Actions:
- Disable system access immediately upon termination
- Collect all access credentials, badges, and keys
- Retrieve company-owned devices (laptops, phones, tokens)
- Collect any CUI materials in the employee’s possession
- Disable remote access capabilities
Within 24 Hours:
- Verify all access has been revoked
- Change shared passwords or credentials the employee knew
- Review and transfer ownership of files and accounts
- Update access lists and distribution groups
For Involuntary Terminations:
- Consider immediate access termination before notification
- Escort employee to collect personal belongings
- Monitor for unusual activity prior to termination if concerns exist
Transfers
When employees change positions within the organization:
- Review whether current access is still appropriate
- Remove access no longer needed for new role
- Add access required for new responsibilities
- Update documentation to reflect new access levels
- Apply need-to-know principles to the transfer
Resignations
Employees who resign require the same access management as terminations:
- Determine appropriate access level during notice period
- Consider immediate access removal for sensitive positions
- Complete full access termination on departure date
- Conduct exit interview covering security obligations
Contractors and Temporary Workers
Apply equivalent controls when contracts end or temporary assignments complete:
- Track contract end dates
- Terminate access promptly when engagement ends
- Retrieve any materials or equipment provided
- Document access termination
Implementing Personnel Security
Establish Screening Procedures
Create documented screening processes:
- Define screening requirements for each access level
- Identify approved background check providers
- Establish screening criteria and disqualifying factors
- Document the process for handling adverse findings
- Maintain confidentiality of screening results
Integrate with HR Processes
Personnel security should integrate with human resources:
- Include screening in hiring workflows
- Build termination checklists including IT access
- Create transfer procedures including access review
- Ensure HR communicates personnel changes to IT promptly
Create Termination Checklists
Develop comprehensive checklists for employee departures:
IT and Security Items:
- Disable Active Directory/network account
- Disable email access
- Disable VPN and remote access
- Disable badge/physical access
- Collect laptop and mobile devices
- Collect security tokens or smart cards
- Disable cloud service access
- Remove from distribution lists
- Transfer file and mailbox ownership
- Review for CUI materials to collect
Timing Considerations:
- Voluntary departure: Execute on last day
- Involuntary departure: Execute immediately
- Sensitive positions: Consider immediate execution
Document Everything
Maintain records of personnel security activities:
- Screening results (with appropriate confidentiality)
- Access authorization dates
- Access changes during employment
- Termination actions taken
- Equipment and materials returned
Coordinate with Management
Managers must communicate personnel changes:
- Immediate notification of terminations
- Advance notice of planned departures when possible
- Notification of transfers affecting access needs
- Communication of any security concerns about personnel
Special Considerations
Contractors and Subcontractors
External personnel require equivalent controls:
- Include screening requirements in contracts
- Require notification when contractor personnel change
- Verify contractor screening meets your standards
- Track contractor access and terminate promptly when engagements end
Remote Workers
Remote employees require the same personnel security:
- Apply standard screening regardless of work location
- Plan for equipment retrieval upon termination
- Consider shipping arrangements for remote equipment return
- Verify remote access termination
Temporary Access
Short-term access for auditors, vendors, or visitors:
- Apply appropriate screening based on access level
- Use temporary credentials that expire automatically
- Document temporary access granted
- Verify access terminates as planned
Common Personnel Security Mistakes
Mistake 1: Skipping Contractor Screening
Contractors often access the same CUI as employees. Apply equivalent screening requirements.
Mistake 2: Delayed Access Termination
Waiting days or weeks to disable departed employee access creates risk. Terminate access immediately upon departure.
Mistake 3: No Transfer Reviews
Employees who transfer accumulate access over time. Review and adjust access with each position change.
Mistake 4: Forgetting Shared Credentials
Departed employees may know shared passwords or system credentials. Change shared credentials when employees leave.
Mistake 5: Incomplete Equipment Return
Laptops, phones, and USB drives in former employee possession may contain CUI. Track and retrieve all equipment.
Key Takeaways
Personnel Security’s 2 requirements address the human element of CUI protection. Screen individuals before granting access, and manage access carefully when employment status changes.
Build screening into your hiring process and termination procedures into your departure process. Integrate personnel security with HR workflows to ensure changes are communicated and access is managed promptly.
People with CUI access must be trustworthy, and access must end when employment ends.
Related Articles:
- What is CMMC Level 2?
- CMMC Access Control Requirements for Level 2
- CMMC Awareness and Training Requirements
- NIST SP 800-171 Rev 2 – Personnel Security Family
- 32 CFR Part 170 – CMMC Program Rule
Official Sources: This article is based on NIST SP 800-171 Revision 2 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” specifically the Personnel Security family (Section 3.9), and the DoD CMMC Level 2 Assessment Guide.
Need help implementing personnel security for CMMC compliance? Contact Greypike for expert guidance on Level 1 and Level 2 certification, or get started with Obolix to streamline your compliance journey.