PS-3: Personnel Screening

Control Family:

Personnel Security

CSF v1.1 References:

PF v1.0 References:

Baselines:

  • Low
    • PS-3
  • Moderate
    • PS-3
  • High
    • PS-3
  • Privacy

    N/A

Previous Version:

Control Statement

  1. Screen individuals prior to authorizing access to the system; and
  2. Rescreen individuals in accordance with [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening].

Supplemental Guidance

Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems.

Control Enhancements

PS-3(1): Classified Information

Baseline(s):

(Not part of any baseline)

Verify that individuals accessing a system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system.

PS-3(2): Formal Indoctrination

Baseline(s):

(Not part of any baseline)

Verify that individuals accessing a system processing, storing, or transmitting types of classified information that require formal indoctrination, are formally indoctrinated for all the relevant types of information to which they have access on the system.

PS-3(3): Information with Special Protective Measures

Baseline(s):

(Not part of any baseline)

Verify that individuals accessing a system processing, storing, or transmitting information requiring special protection: Have valid access authorizations that are demonstrated by assigned official government duties; and Satisfy [Assignment: organization-defined additional personnel screening criteria].

PS-3(4): Citizenship Requirements

Baseline(s):

(Not part of any baseline)

Verify that individuals accessing a system processing, storing, or transmitting [Assignment: organization-defined information types] meet [Assignment: organization-defined citizenship requirements].