PS-3

Personnel Screening

Personnel Security

NIST Control Text

Screen individuals prior to authorizing access to the system; and

Rescreen individuals in accordance with [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening].

NIST Discussion

Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks.

Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems.

Parameter Values

Assignment (conditions/frequency):

Rescreening frequency increases with tier: every 18 months (SenL-1) to every 13 months (SenL-5) [26]

Rescreen upon role change requiring higher SenL or upon triggering events from continuous monitoring [26]

SL5 Supplemental Guidance

All tiers use a “Private SF-86” disclosure packet—a comprehensive background disclosure form modeled on the government SF-86 but using lawfully accessible private-sector sources. Higher tiers (SenL-4/5) add verified subject and reference interviews for character and reliability assessment. Private-sector vetting is inherently limited; organizations may need to pursue government involvement (through classified contract pathways, information sharing arrangements, or new statutory authority) to achieve adequate personnel security for the stated threat model [26].

Provisional access during vetting requires compensating controls as specified in the SenL Framework Document [26].