Navigate

PS-3

PS-3: Personnel Screening

The organization:

PS-3a.: Screens individuals prior to authorizing access to the information system; and

PS-3b.: Rescreens individuals according to [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening].

Supplemental

Personnel screening and rescreening activities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Organizations may define different rescreening conditions and frequencies for personnel accessing information systems based on types of information processed, stored, or transmitted by the systems.

CIA Levels
Confidentiality	low
Integrity	low
Availability	unknown

Overlays
Privacy (High), Privacy (Low), Privacy (Mod), Privacy (PHI)

Related Controls

The controls below (if any) were marked by NIST as being related to PS-3.

Control	Description
AC-2	The organization: AC-2a.: Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types]; AC-2b.: Assigns account managers for information system accounts; AC-2c.: Establishes conditions for group and role membership; AC-2d.: Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account; AC-2e.: Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts; AC-2f.: Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions]; AC-2g.: Monitors the use of information system accounts; AC-2h.: Notifies account managers: AC-2h.1.: When accounts are no longer required; AC-2h.2.: When users are terminated or transferred; and AC-2h.3.: When individual information system usage or need-to-know changes; AC-2i.: Authorizes access to the information system based on: AC-2i.1.: A valid access authorization; AC-2i.2.: Intended system usage; and AC-2i.3.: Other attributes as required by the organization or associated missions/business functions; AC-2j.: Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and AC-2k.: Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.
IA-4	The organization manages information system identifiers by: IA-4a.: Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, or device identifier; IA-4b.: Selecting an identifier that identifies an individual, group, role, or device; IA-4c.: Assigning the identifier to the intended individual, group, role, or device; IA-4d.: Preventing reuse of identifiers for [Assignment: organization-defined time period]; and IA-4e.: Disabling the identifier after [Assignment: organization-defined time period of inactivity].
PE-2	The organization: PE-2a.: Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides; PE-2b.: Issues authorization credentials for facility access; PE-2c.: Reviews the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and PE-2d.: Removes individuals from the facility access list when access is no longer required.
PS-2	The organization: PS-2a.: Assigns a risk designation to all organizational positions; PS-2b.: Establishes screening criteria for individuals filling those positions; and PS-2c.: Reviews and updates position risk designations [Assignment: organization-defined frequency].

Enhancements

The controls below (if any) add on to the requirements of PS-3.

Control	Description
PS-3 (1)	The organization ensures that individuals accessing an information system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system.
PS-3 (2)	The organization ensures that individuals accessing an information system processing, storing, or transmitting types of classified information which require formal indoctrination, are formally indoctrinated for all of the relevant types of information to which they have access on the system.
PS-3 (3)	The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection: PS-3 (3)(a): Have valid access authorizations that are demonstrated by assigned official government duties; and PS-3 (3)(b): Satisfy [Assignment: organization-defined additional personnel screening criteria].

Related CCIs

The CCIs below are tied to PS-3.

CCI	Definition
CCI-001516	The organization screens individuals prior to authorizing access to the information system.
CCI-001517	The organization rescreens individuals with authorized access to the information system according to organization-defined conditions requiring rescreening, and where rescreening is so indicated, on the organization-defined frequency of such rescreening.
CCI-001518	The organization defines the conditions requiring rescreening of individuals with authorized access to the information system.
CCI-001519	The organization defines the frequency for rescreening individuals with authorized access to the information system when organization-defined conditions requiring rescreening are met.