Personnel security.
The two requirements at the edges of employment.
Personnel Security is the smallest Level 2 family: 2 requirements. It sits at the two moments access to CUI actually changes hands — screening someone before they get access, and making sure that access doesn’t outlive the job when someone leaves or moves to a different role.
This page explains the family. It does not replace the requirement text or assessment objectives.
01What this family protects
Personnel Security protects the simple fact that every other family’s controls are only as good as the judgment about who gets access in the first place, and how quickly that access is removed when it should no longer exist. PS doesn’t configure anything technical; it governs two decisions made about people.
02The rule says
Both requirements, condensed to their operative sentence — the smallest family on the desk. NIST SP 800-171 Rev. 2 §3.9 has the full text and discussion for each; Source Library covers when to open it.
| § | Requirement |
|---|---|
| 3.9.1 | Screen individuals prior to authorizing access to organizational systems containing CUI. |
| 3.9.2 | Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers. |
NIST SP 800-171 Rev. 2 lists no Derived Security Requirements for this family — PS is two Basic Security Requirements, in full.
03In practice
Screening before access (3.9.1). Before someone gets access to a system that handles CUI, the organization evaluates their trustworthiness for that level of access — background checks, reference checks, or whatever screening is proportionate to the position and consistent with applicable law. This isn’t a federal clearance process for most Level 2 contractors; it’s a deliberate step, scaled to the role, rather than handing out access on day one with no screening at all.
Terminations and transfers (3.9.2). When someone leaves, or moves to a role that no longer needs the access they had, that access gets removed — accounts disabled, keys and badges returned, an exit interview covering what they’re still bound by (nondisclosure obligations, for instance). The same logic applies to transfers: access changes with the role, rather than accumulating.
04Where it fails
The gap is almost always timing on 3.9.2 — an account disabled a week after someone’s last day instead of on it, because offboarding runs through a manual checklist someone forgets to start promptly. The requirement’s own discussion specifically flags timely execution as essential for terminations for cause; a delayed offboarding is exactly the gap an assessor will ask about.
05What evidence may look like
A screening record or checklist showing what was checked before access was granted, even informally for a small shop — a reference-check note is evidence; and an offboarding checklist or account-deactivation log showing when access was removed relative to a termination or transfer date.
06At the shop
Blanchard Tool & Machining is the desk’s fictional composite (any resemblance to an actual company is coincidental). Blanchard runs a standard background check through a third-party service before any new hire gets a badge or a login, regardless of role — the two-person IT team doesn’t provision an account until that comes back clean. When an employee left last spring, the office manager’s offboarding checklist — return badge, return laptop, disable domain account, notify the MSP to revoke VPN access — got completed the same day, off the same taped list kept in the HR binder.
07Commonly confused with
Awareness & Training (AT). PS decides who gets access and when that access ends; AT trains the people who currently have access on what to watch for while they hold it. Screening happens once, at the edges of employment; awareness training runs continuously in between. See Awareness & Training.
08Cross-desk links
None load-bearing for this family. See Awareness & Training for the family PS most often gets confused with.
09Sources
| Document | What it’s for |
|---|---|
| NIST SP 800-171 Rev. 2, §3.9 | Full requirement text and discussion for both PS requirements. |
| NIST SP 800-171A | Assessment objectives — how an assessor determines MET for each PS requirement. |
| 32 CFR 170.4 | Defines “CMMC Level 2 security requirement” and ties the 800-171 R2 families to the CMMC Program. |