NIST SP 800-171
Control 3.9.1
Screen Individuals Before Authorizing Access
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Screen individuals prior to authorizing access to information systems containing CUI.
What This Means in Plain English
Background checks must be conducted on all personnel before they are given access to systems containing CUI. The level of screening should be appropriate for the sensitivity of the information they will access.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- Pre-employment background checks including criminal history, employment verification, and reference checks
- Background check results reviewed and approved before CUI system access is provisioned
- Periodic re-screening for personnel in sensitive positions
- Third-party contractor background check requirements included in all vendor contracts
- ComplianceArmor tracking screening status, dates, and clearance levels for all personnel
Assessment Guidance
Assessors will review personnel screening policies, verify that background checks are completed before CUI access, check screening records for sample personnel, and confirm that contractors undergo equivalent screening.
Common Implementation Gaps
- No background checks performed before granting system access
- Background checks completed after access is already granted
- Contractors not subject to background screening requirements
- No periodic re-screening program
- Screening records not maintained or tracked
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | PS-3 |
| PCI DSS | Req 12.7 - Screen potential personnel |
Need Help Implementing 3.9.1?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment