Description:
Personnel security screening (vetting) activities involve the evaluation/assessment of individual’s conduct, integrity, judgment, loyalty, reliability, and stability (i.e., the trustworthiness of the individual) prior to authorizing access to organizational systems containing CUI. The screening activities reflect applicable federal laws, Executive Orders, directives, policies, regulations, and specific criteria established for the level of access required for assigned positions.
Priority: High
Domain: PERSONNEL SECURITY (PS)
Category: Personnel Security
Services Associated with AWS:
N/A
Services Associated with Azure:
- Azure Security Center
- Azure Information Protection (AIP)
- Azure Active Directory (Azure AD)
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation to demonstrate Human Resources (HR) practices to screen individuals
- Administrative: supporting documentation to demonstrate how Identity & Access Management (IAM) practices are implemented
- Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
- Technical: screenshot of AD settings, or other IAM interface
Possible Technology Considerations :
NA
What needs to be answered :
Are individuals requiring access screened before access is granted?
Checks for AWS
- Personnel Security Screening for Access to CUI Systems
 Description: This check ensures that organizations have established personnel security screening processes to evaluate and assess the trustworthiness of individuals before granting them access to organizational systems containing Controlled Unclassified Information (CUI). Personnel security screening activities aim to assess an individual's conduct, integrity, judgment, loyalty, reliability, and stability to determine their eligibility for accessing CUI systems.
Checks for Azure
- Azure Policy Check for Personnel Security Screening:
 Description: This policy check ensures that organizations have established personnel security screening processes to evaluate and assess the trustworthiness of individuals before granting them access to Azure resources containing Controlled Unclassified Information (CUI). Personnel security screening activities aim to assess an individual's conduct, integrity, judgment, loyalty, reliability, and stability to determine their eligibility for accessing resources with CUI.
 
More Details:
Employees with access to CUI must undergo background screening prior to approval to work on CUI.
