According to NIST Handbook 162 “Personnel security seeks to minimize the risk that staff (permanent, temporary, or contractor) pose to company assets through the malicious use or exploitation of their legitimate access to the company’s resources. A company’s status and reputation can be damaged by the actions of its employees. Employees may have access to extremely sensitive, or proprietary information, the disclosure of which can destroy an organization’s reputation or cripple it financially. Companies should be vigilant when recruiting and hiring new employees, as well as when an employee transfers or is terminated.”

3.9.1 Screen individuals prior to authorizing access to information systems containing CUI.

To meet requirement 3.9.1, you need to “screen individuals”. Screening refers to performing a background check on an individual. This requirement can be met by performing a background check on employees and contractors before they are granted access to a system containing controlled unclassified information. If they fail the background check you may decide not allow them access to your system.

3.9.2 Ensure that CUI and information systems containing CUI are protected during and after personnel actions such as terminations and transfers.

To meet this requirement, you need to revoke all information system access when an employee is terminated, collect all company provided equipment from them, and hold an exit interview with them to review your confidentiality agreement with the individual. For personnel transfers, that is employees transitioning to different roles in your organization you need to review their account privileges and permission to ensure that they only have access to the resources they need to complete their current job duties. You need to have a process in place where HR and IT coordinate employee transfers.