Navigate

CCI-001540

CCI-001540 Definition

The organization documents personnel security requirements for third-party providers.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed documents personnel security requirements for third-party providers.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the personnel security requirements to ensure the organization being inspected/assessed documents personnel security requirements for third-party providers.

Compelling Evidence

1.) Security Level Agreements signed by third party providers listed in SOP/TTP above to ensure compliance with policies and procedures established by the organization.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-001540.

Control	Description
PS-7	The organization: PS-7a.: Establishes personnel security requirements including security roles and responsibilities for third-party providers; PS-7b.: Requires third-party providers to comply with personnel security policies and procedures established by the organization; PS-7c.: Documents personnel security requirements; PS-7d.: Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organization-defined time period]; and PS-7e.: Monitors provider compliance.

Control

Description

PS-7

The organization:

PS-7a.: Establishes personnel security requirements including security roles and responsibilities for third-party providers;

PS-7b.: Requires third-party providers to comply with personnel security policies and procedures established by the organization;

PS-7c.: Documents personnel security requirements;

PS-7d.: Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organization-defined time period]; and

PS-7e.: Monitors provider compliance.