LLMResponse PS.L2-3.9.1.a: Difference between revisions
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
I'll help you prepare for your CMMC Level 2 assessment of the PS.L2-3.9.1 - SCREEN INDIVIDUALS practice. Based on the assessment guidance you've provided and the CMMC Assessment Guide, I'll suggest what evidence would be appropriate to demonstrate compliance with this practice. | I'll help you prepare for your CMMC Level 2 assessment of the PS.L2-3.9.1 - SCREEN INDIVIDUALS practice. Based on the assessment guidance you've provided and the CMMC Assessment Guide, I'll suggest what evidence would be appropriate to demonstrate compliance with this practice. | ||
== Understanding the Requirement == | |||
PS.L2-3.9.1 requires screening individuals before authorizing their access to organizational systems containing CUI. The assessment objective is to determine if individuals are screened prior to granting this access. | PS.L2-3.9.1 requires screening individuals before authorizing their access to organizational systems containing CUI. The assessment objective is to determine if individuals are screened prior to granting this access. | ||
== Recommended Evidence Collection Approach == | |||
*** 1. Documents to Examine | |||
I recommend collecting the following documents: | I recommend collecting the following documents: | ||
| Line 18: | Line 18: | ||
- Hiring process documentation that includes screening steps | - Hiring process documentation that includes screening steps | ||
*** 2. Interviews to Conduct | |||
Consider interviewing: | Consider interviewing: | ||
| Line 27: | Line 27: | ||
- Information security officer or personnel with information security responsibilities | - Information security officer or personnel with information security responsibilities | ||
*** 3. Tests to Perform | |||
You could demonstrate: | You could demonstrate: | ||
| Line 35: | Line 35: | ||
- The access control process showing how screened status affects system access permissions | - The access control process showing how screened status affects system access permissions | ||
*** 4. Specific Evidence Items | |||
Based on the evidence types you've defined: | Based on the evidence types you've defined: | ||
| Line 58: | Line 58: | ||
- Demonstration of IT system showing how access to CUI systems requires screening verification | - Demonstration of IT system showing how access to CUI systems requires screening verification | ||
== Important Implementation Considerations == | |||
1. Ensure your screening process is appropriate for the level of access required for different positions | 1. Ensure your screening process is appropriate for the level of access required for different positions | ||
Revision as of 02:24, 3 April 2025
I'll help you prepare for your CMMC Level 2 assessment of the PS.L2-3.9.1 - SCREEN INDIVIDUALS practice. Based on the assessment guidance you've provided and the CMMC Assessment Guide, I'll suggest what evidence would be appropriate to demonstrate compliance with this practice.
Understanding the Requirement
PS.L2-3.9.1 requires screening individuals before authorizing their access to organizational systems containing CUI. The assessment objective is to determine if individuals are screened prior to granting this access.
Recommended Evidence Collection Approach
- 1. Documents to Examine
I recommend collecting the following documents:
- Personnel security policy that outlines screening requirements before granting access to systems containing CUI - Procedures for personnel screening (including the types of screening conducted) - Records of screened personnel (anonymized if needed for privacy) - System security plan section that describes your screening process - Job descriptions that define screening requirements based on role/position - Hiring process documentation that includes screening steps
- 2. Interviews to Conduct
Consider interviewing:
- HR personnel responsible for screening processes - Security manager or personnel with personnel security responsibilities - IT staff responsible for granting system access - Information security officer or personnel with information security responsibilities
- 3. Tests to Perform
You could demonstrate:
- The process flow for a new hire from screening to system access approval - The system workflow that prevents access until screening is complete - The access control process showing how screened status affects system access permissions
- 4. Specific Evidence Items
Based on the evidence types you've defined:
- Artifacts:**
- Screenshots (redacted for privacy) of your HR system showing screening status tracking - Sample access request forms showing screening verification before approval - Access control logs showing access was only granted after screening completion
- Documents:**
- Personnel security policy with screening requirements - Screening procedures documentation - Background check provider contracts/agreements - System access authorization procedure showing screening verification step
- Physical Review:**
- On-site demonstration of HR records showing screening completion before system access - Review of physical access records tied to screening status
- Screen Share:**
- Demonstration of how HR verifies screening completion - Demonstration of IT system showing how access to CUI systems requires screening verification
Important Implementation Considerations
1. Ensure your screening process is appropriate for the level of access required for different positions 2. Document the criteria used for screening decisions 3. Maintain records that clearly show screening was completed before system access was granted 4. Ensure your screening practices comply with applicable laws and regulations 5. Implement a process for periodic re-screening if appropriate for your organization
Would you like me to elaborate on any specific aspect of this evidence collection approach or provide more details on a particular type of evidence?