As a government contractor, adherence to NIST SP 800-171 requirements is not just an option, but an essential mandate. Proactive preparation for compliance with these security requirements is crucial in order to avoid potential disruptions to your business operations. This blog is focused on the Personnel Security requirement.
Key Takeaways
- Personnel security screening assesses an individual’s trustworthiness prior to authorizing access to organizational systems containing Controlled Unclassified Information (CUI).
- Organizations must protect CUI from unauthorized access by former employees as well as uphold least privilege with respect to individuals switching positions within the organization.
Personnel Security
3.9.1. Screen individuals prior to authorizing access to organizational systems containing CUI. Organizations establish role-based access levels for assigned positions with specific security requirements based on required federal laws and regulations. Organizations assess individuals for security access based on their trustworthiness using the following metrics:
- Conduct: Assess their behavior and actions.
- Integrity: Consider their honesty and adherence to moral principles.
- Judgment: Evaluate their decision-making abilities.
- Loyalty: Examine their faithfulness and commitment.
- Reliability: Assess their consistency and dependability.
- Stability: Consider their emotional and mental steadiness.
3.9.2. Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers. When personnel are terminated from their position, they are required to return all system-related property and have an exit interview. During an exit interview, individuals are reminded of their corporate security requirements. System-related property that must be returned includes items such as hardware authentication tokens, identification cards, computer equipment, system administration technical manuals, keys, and building passes. System accounts should be closed immediately after an employee is terminated. When personnel are reassigned to a different position, they must return all access authorization property for the former position and be issued new access authorizations pertaining to their new position. This includes actions such as returning old keys and issuing new keys, identification cards, building passes, changing system privileges, closing system accounts, and establishing new accounts.
Securing Personnel and Information
The management of CUI within organizational systems is a comprehensive process that involves screening, protection, and control. Organizations can ensure the confidentiality, integrity, and availability of CUI by implementing effective personnel screening processes and protective measures before, during and after personnel actions such as onboarding, terminations, and transfers. Key security measures include vetting individuals prior to authorizing access, ensuring the return of system-related property after offboarding, conducting exit interviews, and disabling system accounts. These practices are essential in maintaining the security and integrity of CUI within organizational systems.
These are just a few examples of how to implement Personnel Security whether you are a DoD Contractor or part of the Defense Industrial Base (DIB). Look for our next blog on Risk Assessment.
Stay Ahead of the Game: Ensure Your NIST SP 800-171 Compliance for DoD Contracts
IBSS will use our 20 years of corporate DoD cybersecurity experience to prepare you for NIST SP 800-171 compliance. We specialize in developing cybersecurity strategies that align with organizational business processes to detect or prevent cyber attacks. We identify threats and vulnerabilities, and we assist organizations with managing risks to critical data. We provide expert support to promote compliance with Defense Federal Acquisition Regulation Supplement (DFARS), Federal Information Security Modernization Act (FISMA), Federal Risk and Authorization Management Program (FedRAMP), NIST SP 800-171, and Privacy requirements.Contact us now to get a free consultation on how to develop your company’s NIST SP 800-171 SSP.
