Navigate

CCI-003040

CCI-003040 Definition

The organization requires third-party providers to comply with personnel security policies and procedures established by the organization.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed documents and implements a process to require third-party providers to comply with personnel security policies and procedures established by the organization.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed requires third-party providers to comply with personnel security policies and procedures established by the organization.

Compelling Evidence

1.) SOP/TTP documentation defining third party providers to comply with personnel security policies and procedures established by the organization.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003040.

Control	Description
PS-7	The organization: PS-7a.: Establishes personnel security requirements including security roles and responsibilities for third-party providers; PS-7b.: Requires third-party providers to comply with personnel security policies and procedures established by the organization; PS-7c.: Documents personnel security requirements; PS-7d.: Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organization-defined time period]; and PS-7e.: Monitors provider compliance.

Control

Description

PS-7

The organization:

PS-7a.: Establishes personnel security requirements including security roles and responsibilities for third-party providers;

PS-7b.: Requires third-party providers to comply with personnel security policies and procedures established by the organization;

PS-7c.: Documents personnel security requirements;

PS-7d.: Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organization-defined time period]; and

PS-7e.: Monitors provider compliance.