This article is the fifth in a 15-part blog series discussing each domain in Cybersecurity Maturity Model Certification (CMMC). This article touches upon one of the domains within CMMC: Personnel Security.
The Personnel Security (PS) domain is all about Personnel. It will discuss topics related to managing Personnel, screening individuals, their actions, and the security aspects of Personnel.
We will be exploring Personnel Security in the following manner:
The Personnel Security Domain focuses on prioritizing security regarding handling, maintaining, or dealing with Personnel. Screening individuals, analyzing actions, and taking appropriate action are important in this domain.
Let us break down the practices within this domain:
To maintain or interact with CUI, you must ensure that the individuals working with this sensitive information are vetted to do so. Your organization may define the screening requirements for individuals who handle CUI. Still, all individuals MUST be screened before accessing organizational systems containing CUI. Screening could involve evaluating various factors, including an individual's conduct, integrity, loyalty, honesty, reliability, and more. The type of screening conducted should also be dependent on the individual's position and the requirements of that position (for example, if they have to work with a lot of CUI and there are many security requirements, the screening should be a lot more in-depth).
Screening individuals is not the only important aspect of Personnel Security. Once that has been done, the actions they perform must be monitored and controlled as well. It is also important to protect and maintain your CUI before, during, and after personnel actions have been conducted on your organizational systems. This requirement also focuses on Personnel reassigned, transferred, or terminated from your organization. For reassignments or transfers, your organization must determine CUI protection mechanisms that align with the processes in your organization for reassignments/transfers (for example, returning keycards). For terminations, it is important to let the individual know the sensitivity of their position and remind them of nondisclosure agreements and other requirements to maintain security.
This domain covers cybersecurity best practices related to Personnel Security, ranging from equipment Personnel Security to personnel actions. However, the main focus remains on Personnel Security and ensuring that any form of Personnel Security is performed properly and with the proper approach.
For CMMC Level 1, your organization will not have to do anything for this domain.
For CMMC Level 2, there are two practices.
Here are some suggestions on how to comply with the above two security practices:
For CMMC Level 3, the PS practices are yet to be determined.