Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - PS.L2-3.9.1 β Screen individuals prior to authorizing access to organizational systems containing Controlled Unclassified Information
Understanding the Requirement
Personnel security screening requires that organizations evaluate an individual's trustworthiness before granting access to systems that store or process Controlled Unclassified Information (CUI). The objective is straightforward: ensure that anyone who can reach CUI has been vetted so the organization reduces insider risk. For SMBs this means creating a repeatable vetting step in hiring and role-assignment workflows and documenting that the screening occurred prior to system access.
Technical Implementation
-
Define a clear vetting policy tied to roles that require CUI access. Document what checks are required (e.g., federal background checks, identity verification, employment history, and reference checks), who authorizes them, and retention periods for background check records. Keep the policy concise and integrated with HR hiring procedures.
-
Maintain an accurate inventory of systems and data classified as CUI and map roles that need access. Only users whose job duties require CUI access should be eligible for the vetting process and subsequent account provisioning. Use role-based access control (RBAC) to limit assignment of CUI privileges.
-
Incorporate vetting gates into onboarding workflows. Require HR to complete the specified background check and confirm clearance before IT or system administrators create accounts, assign CUI roles, or issue credentials. Use a documented checklist that must be signed off by HR and an information security owner.
-
Implement technical controls that prevent access until vetting is complete. For example, automate account provisioning with a manual approval step in your identity management system or disable CUI groups until the userβs vetting status is marked as "cleared." Enforce multi-factor authentication (MFA) and least-privilege by default.
-
Keep auditable records and periodic re-screening. Store background check confirmations, approval dates, and vetting levels in a secure HR record system or encrypted repository. Schedule re-screening or trigger reviews for role changes, promotions, or after incidents. Ensure records meet contract and retention requirements for CUI handling.
</ul>Example in a Small or Medium Business
Acme Engineering, a 60-person firm, wins a Department of Defense subcontract that involves receiving CUI. HR updates the hiring checklist to require a federal background check and identity verification for anyone assigned to the contract. Before any new hire or existing employee is given access to the contractor network or project folders, HR uploads the background check clearance to a secure HR record and notifies the security lead. The security lead then instructs the system administrator to create an account in the identity management system and add the user to the CUI-access group; the identity system requires a manager approval flag before group membership activates. The system administrator configures MFA and limits permissions to only the project resources needed for the person's role. For contractors and temporary staff, Acme requires proof of equivalent vetting from the staffing firm and logs that proof before provisioning. When an employee moves off the project or leaves the company, HR revokes the CUI group membership immediately and archives the vetting records according to the firm's retention policy. Periodic audits by the security lead verify that all active CUI accounts have supporting vetting documentation.
Summary
Screening individuals before granting access to systems that contain CUI combines straightforward HR policy with simple technical gates: define vetting requirements, tie them to roles, prevent provisioning until approval, and maintain auditable records. For SMBs, integrating screening into onboarding, using RBAC and automated approval steps, and keeping documented proof of checks provides a practical, repeatable way to meet PS.L2-3.9.1 while minimizing operational disruption and reducing insider risk.
