Personnel Security (PS)¶

• a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
  • 1. [Selection: one or more of: organization-level; mission/business process-level; system-level] personnel security policy that:
    • (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
    • (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
  • 2. Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;
• b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the personnel security policy and procedures; and
• c. Review and update the current personnel security:
  • 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
  • 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Assign a risk designation to all organizational positions;
• b. Establish screening criteria for individuals filling those positions; and
• c. Review and update position risk designations [Assignment: organization-defined frequency].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Screen individuals prior to authorizing access to the system; and
• b. Rescreen individuals in accordance with [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Verify that individuals accessing a system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Verify that individuals accessing a system processing, storing, or transmitting types of classified information that require formal indoctrination, are formally indoctrinated for all the relevant types of information to which they have access on the system.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Verify that individuals accessing a system processing, storing, or transmitting information requiring special protection:

• (a) Have valid access authorizations that are demonstrated by assigned official government duties; and
• (b) Satisfy [Assignment: organization-defined additional personnel screening criteria].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Verify that individuals accessing a system processing, storing, or transmitting [Assignment: organization-defined information types] meet [Assignment: organization-defined citizenship requirements].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Upon termination of individual employment:

• a. Disable system access within [Assignment: organization-defined time period];
• b. Terminate or revoke any authenticators and credentials associated with the individual;
• c. Conduct exit interviews that include a discussion of [Assignment: organization-defined information security topics];
• d. Retrieve all security-related organizational system-related property; and
• e. Retain access to organizational information and systems formerly controlled by terminated individual.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• (a) Notify terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information; and
• (b) Require terminated individuals to sign an acknowledgment of post-employment requirements as part of the organizational termination process.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Use [Assignment: organization-defined automated mechanisms] to [Selection: one or more of: notify of individual termination actions; disable access to system resources].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;
• b. Initiate [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action];
• c. Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and
• d. Notify [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Develop and document access agreements for organizational systems;
• b. Review and update the access agreements [Assignment: organization-defined frequency]; and
• c. Verify that individuals requiring access to organizational information and systems:
  • 1. Sign appropriate access agreements prior to being granted access; and
  • 2. Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or [Assignment: organization-defined frequency].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Verify that access to classified information requiring special protection is granted only to individuals who:

• (a) Have a valid access authorization that is demonstrated by assigned official government duties;
• (b) Satisfy associated personnel security criteria; and
• (c) Have read, understood, and signed a nondisclosure agreement.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• (a) Notify individuals of applicable, legally binding post-employment requirements for protection of organizational information; and
• (b) Require individuals to sign an acknowledgment of these requirements, if applicable, as part of granting initial access to covered information.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Establish personnel security requirements, including security roles and responsibilities for external providers;
• b. Require external providers to comply with personnel security policies and procedures established by the organization;
• c. Document personnel security requirements;
• d. Require external providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within [Assignment: organization-defined time period]; and
• e. Monitor provider compliance with personnel security requirements.

External Link for Additional Information: myctrl.tools

• a. Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and
• b. Notify [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Incorporate security and privacy roles and responsibilities into organizational position descriptions.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools