NIST Special Publication 800-171 Revision 2

Date Published: January 28th, 2021

Withdrawn on May 14, 2024. Superseded by SP 800-171 Rev. 3

Author(s): Ron Ross (NIST), Victoria Pillitteri (NIST), Kelley Dempsey (NIST), Mark Riddle (NARA), Gary Guissanie (IDA)

Note: A Class Deviation is in effect as of May 2, 2024 (DEVIATION 2024O0013). The deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. Click Here

3.9.1: Screen individuals prior to authorizing access to organizational systems containing CUI.

Control Family: Personnel Security

Control Type: Basic

SPRS Value: 3

SPRS Supplemental Guidance: N/A

CMMC Level(s): PS.L2-3.9.1

Top Ten Failed Requirement:

No

Referenced in:

DFARS 252.204-7012

Derived From: NIST SP 800-53r4

  • PS-3

  • PS-4

  • PS-5

NIST Supplemental Guidance:

N/A

Discussion:

Personnel security screening (vetting) activities involve the evaluation/assessment of individual’s conduct, integrity, judgment, loyalty, reliability, and stability (i.e., the trustworthiness of the individual) prior to authorizing access to organizational systems containing CUI. The screening activities reflect applicable federal laws, Executive Orders, directives, policies, regulations, and specific criteria established for the level of access required for assigned positions.

Upon assessment, assessors must determine if-

Determine if individuals are screened prior to authorizing access to organizational systems containing CUI.

Assessors are instructed to-

Examine: [SELECT FROM: Personnel security policy; procedures addressing personnel screening; records of screened personnel; system security plan; other relevant documents or records].

Interview: [SELECT FROM: Personnel with personnel security responsibilities; personnel with information security responsibilities].

Test: [SELECT FROM: Organizational processes for personnel screening].

FURTHER DISCUSSION

Ensure all employees who need access to CUI undergo organization-defined screening before being granted access. Base the types of screening on the requirements for a given position and role.

The effective screening of personnel provided by this requirement, PS.L2-3.9.1, improves upon the effectiveness of authentication performed in IA.L2-3.5.2.

Example

You are in charge of security at your organization. You complete standard criminal background and credit checks of all individuals you hire before they can access CUI [a]. Your screening program follows appropriate laws, policies, regulations, and criteria for the level of access required for each position.

Potential Assessment Considerations

  • Are appropriate background checks completed prior granting access to organizational systems containing CUI [a]?