Navigate

PS-3

PS-3: Personnel Screening

a: Screen individuals prior to authorizing access to the system; and

b: Rescreen individuals in accordance with [one of ].

Supplemental

Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems.

CIA Levels
Confidentiality	low
Integrity	low
Availability	unknown

Overlays
CMMC, DAF Baseline, Privacy (accountability), Privacy (high), Privacy (low), Privacy (moderate)

CSF Categories
PR.AC-6, PR.IP-11

Related Controls

The controls below (if any) were marked by NIST as being related to PS-3.

Control	Description
AC-2	a: Define and document the types of accounts allowed and specifically prohibited for use within the system; b: Assign account managers; c: Require [prerequisites and criteria for group and role membership are defined;] for group and role membership; d: Specify: 1: Authorized users of the system; 2: Group and role membership; and 3: Access authorizations (i.e., privileges) and [attributes (as required) for each account are defined;] for each account; e: Require approvals by [personnel or roles required to approve requests to create accounts is/are defined;] for requests to create accounts; f: Create, enable, modify, disable, and remove accounts in accordance with [policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;]; g: Monitor the use of accounts; h: Notify account managers and [personnel or roles to be notified is/are defined;] within: 1: [time period within which to notify account managers when accounts are no longer required is defined;] when accounts are no longer required; 2: [time period within which to notify account managers when users are terminated or transferred is defined; ] when users are terminated or transferred; and 3: [time period within which to notify account managers when system usage or the need to know changes for an individual is defined;] when system usage or need-to-know changes for an individual; i: Authorize access to the system based on: 1: A valid access authorization; 2: Intended system usage; and 3: [attributes needed to authorize system access (as required) are defined;]; j: Review accounts for compliance with account management requirements [the frequency of account review is defined;]; k: Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and l: Align account management processes with personnel termination and transfer processes.
IA-4	Manage system identifiers by: a: Receiving authorization from [personnel or roles from whom authorization must be received to assign an identifier are defined;] to assign an individual, group, role, service, or device identifier; b: Selecting an identifier that identifies an individual, group, role, service, or device; c: Assigning the identifier to the intended individual, group, role, service, or device; and d: Preventing reuse of identifiers for [a time period for preventing reuse of identifiers is defined;].
MA-5	a: Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel; b: Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and c: Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.
PE-2	a: Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides; b: Issue authorization credentials for facility access; c: Review the access list detailing authorized facility access by individuals [frequency at which to review the access list detailing authorized facility access by individuals is defined;] ; and d: Remove individuals from the facility access list when access is no longer required.
PM-12	Implement an insider threat program that includes a cross-discipline insider threat incident handling team.
PS-2	a: Assign a risk designation to all organizational positions; b: Establish screening criteria for individuals filling those positions; and c: Review and update position risk designations [the frequency at which to review and update position risk designations is defined;].
PS-6	a: Develop and document access agreements for organizational systems; b: Review and update the access agreements [the frequency at which to review and update access agreements is defined;] ; and c: Verify that individuals requiring access to organizational information and systems: 1: Sign appropriate access agreements prior to being granted access; and 2: Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or [the frequency at which to re-sign access agreements to maintain access to organizational information is defined;].
PS-7	a: Establish personnel security requirements, including security roles and responsibilities for external providers; b: Require external providers to comply with personnel security policies and procedures established by the organization; c: Document personnel security requirements; d: Require external providers to notify [personnel or roles to be notified of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is/are defined;] of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within [time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is defined;] ; and e: Monitor provider compliance with personnel security requirements.
SA-21	Require that the developer of [the system, systems component, or system service that the developer has access to is/are defined;]: a: Has appropriate access authorizations as determined by assigned [official government duties assigned to the developer are defined;] ; and b: Satisfies the following additional personnel screening criteria: [additional personnel screening criteria for the developer are defined;].

Enhancements

The controls below (if any) add on to the requirements of PS-3.

Control	Description
PS-3(1)	Verify that individuals accessing a system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system.
PS-3(2)	Verify that individuals accessing a system processing, storing, or transmitting types of classified information that require formal indoctrination, are formally indoctrinated for all the relevant types of information to which they have access on the system.
PS-3(3)	Verify that individuals accessing a system processing, storing, or transmitting information requiring special protection: (a): Have valid access authorizations that are demonstrated by assigned official government duties; and (b): Satisfy [additional personnel screening criteria to be satisfied for individuals accessing a system processing, storing, or transmitting information requiring special protection are defined;].
PS-3(4)	Verify that individuals accessing a system processing, storing, or transmitting [information types that are processed, stored, or transmitted by a system that require individuals accessing the system to meet {{ insert: param, ps-03.04_odp.02 }} are defined;] meet [citizenship requirements to be met by individuals to access a system processing, storing, or transmitting information are defined;].

Related CCIs

The CCIs below are tied to PS-3.

CCI	Definition
CCI-001516	Screen individuals prior to authorizing access to the system.
CCI-001517	Rescreen individuals with authorized access to the system in accordance with organization-defined conditions requiring rescreening, and where rescreening is so indicated, on the organization-defined frequency of rescreening.
CCI-001518	Defines the conditions requiring rescreening of individuals with authorized access to the system.
CCI-001519	Defines the frequency for rescreening individuals with authorized access to the information system when organization-defined conditions requiring rescreening are met.