Navigate

PS-2

PS-2: Position Risk Designation

The organization:

PS-2a.: Assigns a risk designation to all organizational positions;

PS-2b.: Establishes screening criteria for individuals filling those positions; and

PS-2c.: Reviews and updates position risk designations [Assignment: organization-defined frequency].

Supplemental

Position risk designations reflect Office of Personnel Management policy and guidance. Risk designations can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements (e.g., training, security clearances).

CIA Levels
Confidentiality	low
Integrity	low
Availability	low

Overlays
Privacy (High), Privacy (Low), Privacy (Mod), Privacy (PHI)

Related Controls

The controls below (if any) were marked by NIST as being related to PS-2.

Control	Description
AT-3	The organization provides role-based security training to personnel with assigned security roles and responsibilities: AT-3a.: Before authorizing access to the information system or performing assigned duties; AT-3b.: When required by information system changes; and AT-3c.: [Assignment: organization-defined frequency] thereafter.
PL-2	The organization: PL-2a.: Develops a security plan for the information system that: PL-2a.1.: Is consistent with the organization�s enterprise architecture; PL-2a.2.: Explicitly defines the authorization boundary for the system; PL-2a.3.: Describes the operational context of the information system in terms of missions and business processes; PL-2a.4.: Provides the security categorization of the information system including supporting rationale; PL-2a.5.: Describes the operational environment for the information system and relationships with or connections to other information systems; PL-2a.6.: Provides an overview of the security requirements for the system; PL-2a.7.: Identifies any relevant overlays, if applicable; PL-2a.8.: Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and PL-2a.9.: Is reviewed and approved by the authorizing official or designated representative prior to plan implementation; PL-2b.: Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles]; PL-2c.: Reviews the security plan for the information system [Assignment: organization-defined frequency]; PL-2d.: Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and PL-2e.: Protects the security plan from unauthorized disclosure and modification.
PS-3	The organization: PS-3a.: Screens individuals prior to authorizing access to the information system; and PS-3b.: Rescreens individuals according to [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening].

Enhancements

The controls below (if any) add on to the requirements of PS-2.

Control	Description
No controls

Related CCIs

The CCIs below are tied to PS-2.

CCI	Definition
CCI-001512	The organization assigns a risk designation to all organizational positions.
CCI-001513	The organization establishes screening criteria for individuals filling organizational positions.
CCI-001514	The organization reviews and updates position risk designations in accordance with organization-defined frequency.
CCI-001515	The organization defines the frequency with which to review and update position risk designations.