Navigate

PS-3

PS-3: Personnel Screening

The organization:

a: Screens individuals prior to authorizing access to the information system; and

b: Rescreens individuals according to [one of ].

Supplemental

Personnel screening and rescreening activities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Organizations may define different rescreening conditions and frequencies for personnel accessing information systems based on types of information processed, stored, or transmitted by the systems.

CIA Levels
Confidentiality	low
Integrity	low
Availability	unknown

Overlays
Privacy (High), Privacy (Low), Privacy (Mod), Privacy (PHI)

CSF Categories
PR.AC-6, PR.DS-5, PR.IP-11

Related Controls

The controls below (if any) were marked by NIST as being related to PS-3.

Control	Description
AC-2	The organization: a: Identifies and selects the following types of information system accounts to support organizational missions/business functions: [one of ]; b: Assigns account managers for information system accounts; c: Establishes conditions for group and role membership; d: Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account; e: Requires approvals by [one of ] for requests to create information system accounts; f: Creates, enables, modifies, disables, and removes information system accounts in accordance with [one of ]; g: Monitors the use of information system accounts; h: Notifies account managers: 1: When accounts are no longer required; 2: When users are terminated or transferred; and 3: When individual information system usage or need-to-know changes; i: Authorizes access to the information system based on: 1: A valid access authorization; 2: Intended system usage; and 3: Other attributes as required by the organization or associated missions/business functions; j: Reviews accounts for compliance with account management requirements [one of ]; and k: Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.
IA-4	The organization manages information system identifiers by: a: Receiving authorization from [one of ] to assign an individual, group, role, or device identifier; b: Selecting an identifier that identifies an individual, group, role, or device; c: Assigning the identifier to the intended individual, group, role, or device; d: Preventing reuse of identifiers for [one of ]; and e: Disabling the identifier after [one of ].
PE-2	The organization: a: Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides; b: Issues authorization credentials for facility access; c: Reviews the access list detailing authorized facility access by individuals [one of ]; and d: Removes individuals from the facility access list when access is no longer required.
PS-2	The organization: a: Assigns a risk designation to all organizational positions; b: Establishes screening criteria for individuals filling those positions; and c: Reviews and updates position risk designations [one of ].

Enhancements

The controls below (if any) add on to the requirements of PS-3.

Control	Description
PS-3(1)	The organization ensures that individuals accessing an information system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system.
PS-3(2)	The organization ensures that individuals accessing an information system processing, storing, or transmitting types of classified information which require formal indoctrination, are formally indoctrinated for all of the relevant types of information to which they have access on the system.
PS-3(3)	The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection: (a): Have valid access authorizations that are demonstrated by assigned official government duties; and (b): Satisfy [one of ].

Related CCIs

The CCIs below are tied to PS-3.

CCI	Definition
CCI-001516	Screen individuals prior to authorizing access to the system.
CCI-001517	Rescreen individuals with authorized access to the system in accordance with organization-defined conditions requiring rescreening, and where rescreening is so indicated, on the organization-defined frequency of rescreening.
CCI-001518	Defines the conditions requiring rescreening of individuals with authorized access to the system.
CCI-001519	Defines the frequency for rescreening individuals with authorized access to the information system when organization-defined conditions requiring rescreening are met.