3.9 — Personnel Security

Personnel Security (PS) Policy

Establishes requirements for screening individuals prior to authorizing access and protecting CUI upon personnel actions — covering 2 controls per NIST SP 800-171 Rev 2.

Family: 3.9 — PSControls: 2Owner: Sandra O. FloydLast Review: April 3, 2026
SELF-ASSESSMENT

Control statuses below reflect an internal self-assessment prepared with AI assistance. Statuses marked "Implemented" may be organizational claims without verifiable evidence. See POA&M for known gaps.

Policy Statement

OCSI shall screen individuals prior to authorizing access to organizational systems containing CUI. Access shall be protected during and after personnel actions such as terminations and transfers.

Control Implementation
ControlRequirementImplementationStatus
3.9.1Screen individuals prior to authorizing access to organizational systems containing CUIAll personnel undergo background screening before being granted access to CUI systems. Screening includes verification of identity, employment history, and criminal background. Personnel requiring access to the Command Center must be approved by the President. external MSSP IR team members vetted per their organizational security policies. Implemented
3.9.2Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfersUpon termination or transfer: (1) Command Center credentials immediately revoked, (2) session terminated via sessionStorage clear, (3) authorized device has localStorage cleared, (4) FTP/cPanel access credentials rotated, (5) exit interview includes CUI non-disclosure reminder. Security Officer maintains offboarding checklist. All access changes logged to audit trail. Implemented
Personnel Actions Checklist

Onboarding

  • Background screening completed
  • Non-Disclosure Agreement signed
  • Security awareness training completed (3.2.1) — training program not yet created
  • Insider threat training completed (3.2.3) — training program not yet created
  • Account provisioned with temporary credentials
  • Authorized device registered in inventory

Offboarding

  • Command Center credentials revoked
  • Active sessions terminated
  • Authorized device localStorage cleared
  • FTP/server credentials rotated
  • Physical materials returned
  • CUI non-disclosure obligations confirmed
  • Exit audit logged
Review Schedule: Personnel security policy reviewed annually. Access authorizations reviewed quarterly by Security Officer.

© 2026 OUTSOURCE Consulting Services, Inc. — CUI // SP-PS // NIST 800-171 3.9