CMMC and NIST SP 800-171 Physical Protection

How to Meet NIST SP 800-171 & CMMC Personnel Security Requirements

To meet CMMC and NIST SP 800-171 requirements, organizations must implement personnel security controls. What are these requirements and how can they be met?

Join our newsletter:

What are the NIST SP 800-171 and CMMC Personnel Security Requirements?

There are two security controls from NIST SP 800-171 and CMMC level three related to personnel security.

NIST SP 800-171 3.9.1 and CMMC PS.2.127


Photo by Anna Shvets from Pexels

Requirement: Screen individuals prior to authorizing access to organizational systems containing CUI.

How to Meet Requirements 3.9.1 and PS.2.127

Personnel who will be handling controlled unclassified information (CUI) should undergo a pre-screening process. This can be accomplished by requiring personnel to complete a criminal background check before they are hired or provided access to CUI. You can add other checks as necessary such as credit check, drug test, and a confirmation of their education.
There are many companies that offer background checks for a reasonable price. One of them is “GoodHire”.

NIST SP 800-171 3.9.2 and CMMC PS.2.128


Photo by Anna Tarazevich from Pexels

Requirement: Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.

How to Meet Requirement 3.9.2 and PS.2.128

When an employee or contractors contract is terminated they no longer require access to your information system, as a result you must revoke all of their logical and physical access to the system. This includes disabling their user accounts, signing them out of any active sessions, and revoking their physical access device (e.g., keys to the facility). You must also collect all equipment provided to them including their laptop, removable storage devices, smartphones, and authentication hard token (e.g., Yubikey). You must also perform an exit interview with the terminated employee or contractor where you remind them of their non-disclosure agreement with the company.
When personnel are transferred to a new role in your organization they will likely need access to new system resources and no longer require access to resources associated with their old role. Whenever personnel transfers occur, you should review their logical and physical access requirements and adjust them to fit their new role.
You should have a well documented employee onboarding, termination, and role transfer processes.

Discover Our NIST SP 800-171 & CMMC 2.0 Solutions:


Compliance Accelerator

Power through compliance. Meet and maintain your NIST SP 800-171 & CMMC 2.0 compliance requirements.

Quantum Assessor

Transform your business. Create new revenue streams and provide scalability for your NIST SP 800-171 and CMMC 2.0 services.

Supply Chain Verifier

Trust is everything. Verify, monitor, and support subcontactor compliance.