Understanding CMMC Personnel Security Domain

Personnel Security (PS) domain in CMMC focuses on prioritizing security when handling, maintaining, or dealing with Personnel. It covers practices such as screening individuals, analyzing actions and taking appropriate actions to maintain CUI. CMMC Level 1 requires no action, Level 2 requires a personnel security policy, records of screened personnel, and processes for personnel screening. Level 3 practices are yet to be determined. Read out to know details.

Introduction to Personnel Security Domain practices under CMMC 2.0

This article is the fifth in a 15-part blog series discussing each domain in Cybersecurity Maturity Model Certification (CMMC). This article touches upon one of the domains within CMMC: Personnel Security.   

The Personnel Security (PS) domain is all about Personnel. It will discuss topics related to managing Personnel, screening individuals, their actions, and the security aspects of Personnel.   

We will be exploring Personnel Security in the following manner:    

  • What is Personnel Security?   
  • How do you enforce Personnel Security in your organization?    

What is Personnel Security?    

The Personnel Security Domain focuses on prioritizing security regarding handling, maintaining, or dealing with Personnel. Screening individuals, analyzing actions, and taking appropriate action are important in this domain.  

Let us break down the practices within this domain:  

Screening Individuals  

To maintain or interact with CUI, you must ensure that the individuals working with this sensitive information are vetted to do so. Your organization may define the screening requirements for individuals who handle CUI. Still, all individuals MUST be screened before accessing organizational systems containing CUI. Screening could involve evaluating various factors, including an individual's conduct, integrity, loyalty, honesty, reliability, and more. The type of screening conducted should also be dependent on the individual's position and the requirements of that position (for example, if they have to work with a lot of CUI and there are many security requirements, the screening should be a lot more in-depth).  

Personnel Actions  

Screening individuals is not the only important aspect of Personnel Security. Once that has been done, the actions they perform must be monitored and controlled as well. It is also important to protect and maintain your CUI before, during, and after personnel actions have been conducted on your organizational systems. This requirement also focuses on Personnel reassigned, transferred, or terminated from your organization. For reassignments or transfers, your organization must determine CUI protection mechanisms that align with the processes in your organization for reassignments/transfers (for example, returning keycards). For terminations, it is important to let the individual know the sensitivity of their position and remind them of nondisclosure agreements and other requirements to maintain security.   

How do you enforce Personnel Security in your organization?    

This domain covers cybersecurity best practices related to Personnel Security, ranging from equipment Personnel Security to personnel actions. However, the main focus remains on Personnel Security and ensuring that any form of Personnel Security is performed properly and with the proper approach.  

CMMC 2.0 Levels and the PS Domain  

CMMC Level 1  

For CMMC Level 1, your organization will not have to do anything for this domain.   

CMMC Level 2  

For CMMC Level 2, there are two practices.  

  • Screening Individuals 
  • Personnel Actions 

Here are some suggestions on how to comply with the above two security practices:   

  • Personnel Security Policy  
  • Records of Screened Personnel  
  • Records of Exit Interviews  
  • Organizational Processes for Personnel Screening  
  • Procedures Addressing Personnel Screening  
  • System Security Plan (SSP)  
  • List of System Accounts  

CMMC Level 3  

For CMMC Level 3, the PS practices are yet to be determined.