PS.L2-3.9.1: Screen Individuals Prior to System Access
Before granting anyone access to systems containing Controlled Unclassified Information (CUI), you need a formal screening process. PS.L2-3.9.1 requires organizations to conduct background checks and vetting—a critical control that prevents unauthorized individuals from gaining access to sensitive data. This control is foundational to CMMC Level 2 compliance and protects both your organization and your customers.
What this means
This control mandates that your organization establish and enforce a screening process for all individuals before they receive authorization to access information systems containing CUI. Screening includes background investigations, identity verification, and security clearance confirmation where required. The goal is to identify potential security risks and ensure only trustworthy personnel access sensitive systems.
How to comply
- 1.Develop a documented personnel screening policy that defines screening requirements based on access level and job role
- 2.Implement background checks including criminal history, employment verification, and credit checks as appropriate for role sensitivity
- 3.Establish a baseline screening procedure for all new hires, contractors, and temporary staff before system access is granted
- 4.Document all screening activities and results in personnel files with required retention periods
- 5.Define re-screening intervals for existing personnel, typically annually or per industry standards
- 6.Create an escalation process for handling adverse screening results or discrepancies
- 7.Ensure screening is completed and documented before access credentials are issued
Evidence auditors look for
- Background investigation authorization forms signed by candidates
- Third-party background check reports with completion dates
- Identity verification documentation (government-issued ID, social security verification)
- Security clearance confirmations or investigative agency correspondence
- Personnel file records showing screening completion prior to access grant
- Policy documentation defining screening requirements by role and access level
- Access approval records tied to screening completion dates
- Re-screening tracking logs and completion documentation
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates personnel screening workflow tracking by linking background check completion dates to access authorization records, eliminating manual verification and ensuring no one gains system access until screening is documented and approved.
See how GRCWatch handles this control automatically
Start free trial