LLMPrompt PS.L2-3.9.1: Difference between revisions

From CMMC Toolkit Wiki
Jump to navigation Jump to search
VisualWikitext
Created page with "# Ranking Evidence Types for PS.L2-3.9.1 Based on the assessment objective "[a] individuals are screened prior to authorizing access to organizational systems containing CUI," here's my ranking of evidence types from most to least compelling, supported by the assessment objects: ## Evidence Type Ranking 1. **Documents** - Highest priority * Personnel security policy that defines screening requirements * Procedures documenting personnel screening processes * R..."
 
No edit summary
 
Line 1: Line 1:
# Ranking Evidence Types for PS.L2-3.9.1
I am a cybersecurity manager working for an organization that is a DoD contractor. I need to implement various security practices that conform to DoD's CMMC program at level 2. The CMMC program stipulates security practices that are based on NIST Special Publication 800-171 R2. For each security practice of CMMC Level 2, I need to show evidence that my organization is in compliance with CMMC. Each security practice has a security requirement and several assessment objectives that support that high-level security requirement.


Based on the assessment objective "[a] individuals are screened prior to authorizing access to organizational systems containing CUI," here's my ranking of evidence types from most to least compelling, supported by the assessment objects:
I am assessing one of the assessment objectives within the practice PS.L2-3.9.1 – SCREEN INDIVIDUALS. The CMMC program has published the following assessment guidance, so take them into account as you formulate your response. Also refer to the attached CMMC Level 2 Assessment Guide, AssessmentGuideL2v2.pdf, for more context and information about the practice.


## Evidence Type Ranking
A. SECURITY REQUIREMENT: Screen individuals prior to authorizing access to organizational systems containing CUI.


1. **Documents** - Highest priority
B. ASSESSMENT OBJECTIVES: Determine if: [a] individuals are screened prior to authorizing access to organizational systems containing CUI.
  * Personnel security policy that defines screening requirements
  * Procedures documenting personnel screening processes
  * Records of screened personnel showing completion before access granted
  * System security plan sections addressing screening requirements


2. **Artifacts** - Second priority
C. ASSESSMENT APPROACHES: I have three assessment approaches for assessing any security practice. They are listed as follows:
  * Access control records showing that system access was granted only after screening
  * HR workflow evidence showing screening verification steps
  * Authorization forms with screening verification checkpoints


3. **Screen Share** - Third priority
C1. Examine: The process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objectives to facilitate understanding, achieve clarification, or obtain evidence. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time.
  * Demonstration of the access control system showing how screening status affects permissions
  * Walkthrough of HR/security systems showing screening verification before access approval


4. **Physical Review** - Fourth priority
C2. Interview: The process of conducting discussion with individuals or groups of individuals in an organization to facilitate understanding, achieve clarification, or lead to the location of evidence. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time.
  * On-site observation of screening records and their connection to access control
  * Physical inspection of security controls that enforce the screening requirement


## Assessment Approach Prioritization
C3. Test: The process of exercising one or more assessment objects under specified conditions to compare actual with expected behavior. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time.


For this assessment objective, I recommend prioritizing the assessment approaches as follows:
D. ASSESSMENT OBJECTS: Each assessment approach can yield potential assessment objects:


1. **Examine** - Highest priority
D1. Examine: [SELECT FROM: Personnel security policy; procedures addressing personnel screening; records of screened personnel; system security plan; other relevant documents or records].
  * This approach provides direct evidence of your screening policies, procedures, and records
  * Documents show the design and implementation of your screening controls
  * Records demonstrate that screening consistently occurs before access is granted


2. **Interview** - Second priority
D2. Interview: [SELECT FROM: Personnel with personnel security responsibilities; personnel with information security responsibilities].
  * Interviews with personnel security and HR staff explain how screening policies are implemented
  * IT staff can explain how screening status affects system access permission controls
  * Interviews validate that documented procedures are understood and followed


3. **Test** - Third priority
D3. Test: [SELECT FROM: Organizational processes for personnel screening].
  * Testing demonstrates the effectiveness of controls that prevent access before screening
 
  * While valuable, testing supplements rather than replaces examination of records and interviews
E. DISCUSSION: Personnel security screening (vetting) activities involve the evaluation/assessment of individual’s conduct, integrity, judgment, loyalty, reliability, and stability (i.e., the trustworthiness of the individual) prior to authorizing access to organizational systems containing CUI. The screening activities reflect applicable federal laws, Executive Orders, directives, policies, regulations, and specific criteria established for the level of access required for assigned positions.
 
F. FURTHER DISCUSSION: Ensure all employees who need access to CUI undergo organization-defined screening before being granted access. Base the types of screening on the requirements for a given position and role. The effective screening of personnel provided by this practice, PS.L2-3.9.1, improves upon the effectiveness of authentication performed in IA.L1-3.5.2.
 
G. Example: You are in charge of security at your organization. You complete standard criminal background and credit checks of all individuals you hire before they can access CUI [a]. Your screening program follows appropriate laws, policies, regulations, and criteria for the level of access required for each position.
 
H. Potential Assessment Considerations: Are appropriate background checks completed prior granting access to organizational systems containing CUI [a]?
 
I. EVIDENCE TYPES: Finally, I have four evidence types that I can collect. The definitions of the evidence types are as follows:
 
I1. Artifacts: Tangible and reviewable records that are the direct outcome of a practice or process being performed by a system, person, or persons performing a role in that practice, control, or process. (See CAP Glossary for additional details.)
 
I2. Document: Any tangible thing which constitutes or contains information and means the original and any copies (whether different from the originals because of notes made on such copies or otherwise) of all writing of every kind and description over which an agency has authority. (See CAP Glossary for additional details.)
 
I3. Physical Review: An on-premise observation of Evidence.
 
I4. Screen Share: Live observation ""over the shoulder"" of a user as they share their computer screen while performing a task.
 
J. KEY REFERENCES: NIST SP 800-171 Rev 2 3.9.1

Latest revision as of 02:30, 3 April 2025

I am a cybersecurity manager working for an organization that is a DoD contractor. I need to implement various security practices that conform to DoD's CMMC program at level 2. The CMMC program stipulates security practices that are based on NIST Special Publication 800-171 R2. For each security practice of CMMC Level 2, I need to show evidence that my organization is in compliance with CMMC. Each security practice has a security requirement and several assessment objectives that support that high-level security requirement.

I am assessing one of the assessment objectives within the practice PS.L2-3.9.1 – SCREEN INDIVIDUALS. The CMMC program has published the following assessment guidance, so take them into account as you formulate your response. Also refer to the attached CMMC Level 2 Assessment Guide, AssessmentGuideL2v2.pdf, for more context and information about the practice.

A. SECURITY REQUIREMENT: Screen individuals prior to authorizing access to organizational systems containing CUI.

B. ASSESSMENT OBJECTIVES: Determine if: [a] individuals are screened prior to authorizing access to organizational systems containing CUI.

C. ASSESSMENT APPROACHES: I have three assessment approaches for assessing any security practice. They are listed as follows:

C1. Examine: The process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objectives to facilitate understanding, achieve clarification, or obtain evidence. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time.

C2. Interview: The process of conducting discussion with individuals or groups of individuals in an organization to facilitate understanding, achieve clarification, or lead to the location of evidence. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time.

C3. Test: The process of exercising one or more assessment objects under specified conditions to compare actual with expected behavior. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time.

D. ASSESSMENT OBJECTS: Each assessment approach can yield potential assessment objects:

D1. Examine: [SELECT FROM: Personnel security policy; procedures addressing personnel screening; records of screened personnel; system security plan; other relevant documents or records].

D2. Interview: [SELECT FROM: Personnel with personnel security responsibilities; personnel with information security responsibilities].

D3. Test: [SELECT FROM: Organizational processes for personnel screening].

E. DISCUSSION: Personnel security screening (vetting) activities involve the evaluation/assessment of individual’s conduct, integrity, judgment, loyalty, reliability, and stability (i.e., the trustworthiness of the individual) prior to authorizing access to organizational systems containing CUI. The screening activities reflect applicable federal laws, Executive Orders, directives, policies, regulations, and specific criteria established for the level of access required for assigned positions.

F. FURTHER DISCUSSION: Ensure all employees who need access to CUI undergo organization-defined screening before being granted access. Base the types of screening on the requirements for a given position and role. The effective screening of personnel provided by this practice, PS.L2-3.9.1, improves upon the effectiveness of authentication performed in IA.L1-3.5.2.

G. Example: You are in charge of security at your organization. You complete standard criminal background and credit checks of all individuals you hire before they can access CUI [a]. Your screening program follows appropriate laws, policies, regulations, and criteria for the level of access required for each position.

H. Potential Assessment Considerations: Are appropriate background checks completed prior granting access to organizational systems containing CUI [a]?

I. EVIDENCE TYPES: Finally, I have four evidence types that I can collect. The definitions of the evidence types are as follows:

I1. Artifacts: Tangible and reviewable records that are the direct outcome of a practice or process being performed by a system, person, or persons performing a role in that practice, control, or process. (See CAP Glossary for additional details.)

I2. Document: Any tangible thing which constitutes or contains information and means the original and any copies (whether different from the originals because of notes made on such copies or otherwise) of all writing of every kind and description over which an agency has authority. (See CAP Glossary for additional details.)

I3. Physical Review: An on-premise observation of Evidence.

I4. Screen Share: Live observation ""over the shoulder"" of a user as they share their computer screen while performing a task.

J. KEY REFERENCES: NIST SP 800-171 Rev 2 3.9.1

Retrieved from "https://cmmcwiki.org/index.php?title=LLMPrompt_PS.L2-3.9.1&oldid=1409"