CMMC Weekly Series #10
Posted on June 19, 2020 by Christopher Bukowski, Esq.
Personnel Security (PS)
Probably the most basic and obvious of the CMMC Domains, Personnel Security (PS) is still deserving of and warrants due attention. After all, people are the bedrock of any well run and functioning organization and they must be reliable, competent, and trustworthy. What organization would intentionally place the cornerstone of its foundation on loose sand rather than solid rock?
The first capability for this Domain in the CMMC framework begins at Level 2 and consists of Screening Personnel:
PS.2.127: Screen individuals prior to authorizing access to organizational systems containing CUI. This is consistent with most organizations’ procedures to one extent or another and, most likely, is addressed prior to employment. Generally, when an employee is hired there is some type of review of his/her history and a follow up to confirm. Some companies may take a resume on face value and look no further, but there ought to be more due diligence in this process, even without the CMMC framework requirements.
The extent of review and screening of a potential employee that a company would carry out is largely dependent upon the level of sensitivity of the information held by said organization.
Because most checks involve a relatively minimal investment of time and money to complete, it would seem prudent for companies, at a minimum, to perform some, if not all, of the checks provided here below:
1. Credit Check
2. Criminal Background Check
3. Education and Certification Check
4. Employment History Check
5. Reference Check
6. E-Verify Check: This “confirms the eligibility of…employees to work in the United States”.
In the Department of Defense (DoD) contracting industry, to which CMMC is applicable (at least initially), there is a large number of personnel with security clearances. The background investigation that is necessary for granting a security clearance typically includes such checks as credit history and criminal history, as well as eligibility to work in the United States, among other things. Given the extensive level of background investigation involved, a security clearance could, at least in part, satisfy some of the background checks, as partially suggested by FAR 52.222-54: Employment Eligibility Verification. However, even in the case of an intended hire with a security clearance, prudence dictates also performing the Education and Certification check, Employment History Check and Reference Check.
Companies can also be proactive and enhance their hiring process by voluntarily participating in several government programs. One such program is ICE’s Mutual Agreement between Government and Employers (IMAGE) program, which is a voluntary membership certification program between ICE and industry (commercial) partners to help reduce unauthorized employment and fraudulent identity documents. In a nutshell, it utilizes the partnership agreement, self-assessments, internal employment eligibility verification policies and audits, external I-9 inspections, and E-Verify, among other things, to aid industry and government hiring departments and ensure authorized, valid, and legitimate personnel and hiring processes.
In addition to a robust screening process for hiring, employers need to ensure that employees accessing sensitive information have the appropriate level of authorization and need to know access to that information or systems containing said information. All access ought to fall within the scope of personnel duties, in accordance with their job function and guided by the principle of least privilege (granting the minimum amount of access/authorization required for the job). Furthermore, it is a best practice to ensure that employees have an Non-Disclosure Agreement (NDA) in place with the organization, thereby protecting the sensitive information being accessed.
The next Capability in this Domain goes hand in hand with the first and is also found at Level 2. It consists of protecting CUI during personnel actions:
PS.2.128: Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers. This is, in large part, self-explanatory. If an employee leaves employment or transfers to a different role or even different department, it is paramount that the access they had is immediately removed, assuming it is no longer required (as in the case of a role change or department transfer). Hardly a news cycle passes without a story of terminated employees attempting to sabotage former employers via setting time bombs in systems, accessing systems without authorization and manipulating data, and of course, leaking sensitive data (including customers’ data) to the press.
There are also additional steps that can be taken regarding personnel actions that aren’t as intuitive. For instance, the rotation of duties which helps mitigate the risk of any particular employee having too many privileges; mandatory leave, which reduces and better helps discover access abuses; separation of duties, in which multiple employees are required to accomplish a specific task related to sensitive information; etc. There are several other policies and processes a company can employ to mitigate the risks associated with personnel actions, such as utilizing audit logs and implementing a strong password policy with regular and recurring change requirements and expiration dates.
In conclusion, though Personnel Security might seem like the most simple and basic of the CMMC Domains, that in no way means it is less important. In fact, in a certain respect, it may be the most important domain given the concept that personnel are the basic building blocks of a well-founded and structured organization. After all, if you cannot trust the employees you hire and clearly set parameters around their access, specifically and directly related to their duties, then the cornerstone of the organization will inevitably become unstable directly in proportion to the severity of the deficiencies in this domain.