National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

NIST Special Publication 800-53 (Rev. 4)

Security and Privacy Controls for Federal Information Systems and Organizations

PS-3 PERSONNEL SCREENING

Family:
PS - PERSONNEL SECURITY
Class:
Priority:
P1 - Implement P1 security controls first.
Baseline Allocation:
Low Moderate High
PS-3 PS-3 PS-3

Control Description

The organization:

a. Screens individuals prior to authorizing access to the information system; and

b. Rescreens individuals according to [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening].

Supplemental Guidance

Personnel screening and rescreening activities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Organizations may define different rescreening conditions and frequencies for personnel accessing information systems based on types of information processed, stored, or transmitted by the systems.

Related to: AC-2IA-4PE-2PS-2

Control Enhancements

PS-3(1) PERSONNEL SCREENING | CLASSIFIED INFORMATION
The organization ensures that individuals accessing an information system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system.

Related to: AC-3AC-4
PS-3(2) PERSONNEL SCREENING | FORMAL INDOCTRINATION
The organization ensures that individuals accessing an information system processing, storing, or transmitting types of classified information which require formal indoctrination, are formally indoctrinated for all of the relevant types of information to which they have access on the system.
Supplemental Guidance: Types of classified information requiring formal indoctrination include, for example, Special Access Program (SAP), Restricted Data (RD), and Sensitive Compartment Information (SCI).
Related to: AC-3AC-4
PS-3(3) PERSONNEL SCREENING | INFORMATION WITH SPECIAL PROTECTION MEASURES
The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection:
PS-3 (3)(a)
Have valid access authorizations that are demonstrated by assigned official government duties; and
PS-3 (3)(b)
Satisfy [Assignment: organization-defined additional personnel screening criteria].
Supplemental Guidance: Organizational information requiring special protection includes, for example, Controlled Unclassified Information (CUI) and Sources and Methods Information (SAMI). Personnel security criteria include, for example, position sensitivity background screening requirements.