Personnel Security
The Personnel Security family in NIST 800-171 Rev 2 focuses on ensuring that individuals who have access to Controlled Unclassified Information (CUI) are properly vetted and that access to CUI is restricted when personnel no longer require it due to changes in employment status. The primary goal of this family is to prevent unauthorized access to CUI by ensuring that only trustworthy individuals are granted access, and that access is promptly revoked when personnel leave the organization or change roles.
The Personnel Security family has two key security requirements, which emphasize the need to manage access to CUI based on personnel status and ensure proper procedures are in place for when personnel leave or transition within an organization.
Key Personnel Security Requirements in NIST 800-171 Rev 2:
1. Screen Individuals Before Authorizing Access to CUI (3.9.1)
Basic Requirement: Organizations must screen individuals before granting them access to CUI to ensure they are trustworthy and qualified to handle sensitive information.
Key Focus:
- Conduct background checks and other forms of vetting to assess the trustworthiness and reliability of individuals who will have access to CUI.
- Screening processes should be consistent with organizational policies, regulatory requirements, and any contractual obligations related to the handling of CUI.
Example: Performing criminal background checks, credit checks, and reference checks for employees, contractors, or third parties who will have access to CUI.
2. Ensure Timely Revocation of Access to CUI When Employment Status Changes (3.9.2)
Basic Requirement: Organizations must ensure that access to CUI is promptly revoked when an individual’s employment status changes (e.g., when they leave the organization, transfer to a new role, or no longer require access to CUI).
Key Focus:
- Develop procedures to revoke access to systems, devices, and physical spaces that store CUI as soon as an individual’s employment ends or their role changes.
- Ensure that all access points, including system credentials, physical access (e.g., badges or keys), and any removable storage media, are disabled or recovered.
Example: Immediately deactivating system accounts and retrieving access badges when an employee resigns or is terminated, or changing access permissions for employees moving to a non-sensitive role.
Importance of Personnel Security in Cybersecurity:
Prevents Insider Threats: Screening personnel before granting access helps reduce the risk of insider threats, whether intentional (e.g., malicious actions) or accidental (e.g., mishandling of CUI by unqualified personnel). This ensures that only trustworthy individuals have access to sensitive information.
Ensures Timely Revocation of Access: Promptly revoking access when personnel leave or change roles prevents former employees or individuals in different roles from retaining access to CUI, which reduces the risk of unauthorized data breaches or misuse of information.
Supports Compliance with Regulations: Personnel security is a crucial component of compliance with regulations like NIST 800-171, which requires organizations to ensure that individuals with access to CUI are properly vetted and that access is carefully managed.
Minimizes the Risk of Data Exposure: When personnel who no longer need access to CUI retain credentials or access, the risk of data exposure increases. Timely revocation of access helps prevent unauthorized access and data leakage.
Maintains Accountability: By screening individuals and controlling access based on employment status, organizations can maintain a clear record of who has access to CUI at any given time, ensuring greater accountability and transparency.
Best Practices for Personnel Security:
Conduct Thorough Pre-Employment Screenings: Implement a consistent and thorough screening process that includes background checks, credit checks, and verification of past employment and references for all individuals who will have access to CUI.
Establish Clear Access Policies: Define policies that specify who is authorized to access CUI and under what conditions. These policies should align with security requirements and be clearly communicated to employees.
Automate the Deactivation Process: Use automated systems where possible to deactivate system accounts, access badges, and other permissions when an employee leaves or changes roles. This ensures that access revocation is prompt and minimizes the risk of delays.
Perform Regular Access Audits: Conduct periodic audits of access privileges to ensure that only current, authorized personnel have access to CUI. Review and update access permissions as roles and responsibilities change.
Ensure Clear Communication During Offboarding: Have a well-defined offboarding process that includes revoking all access to CUI and systems, recovering organizational property (e.g., laptops, mobile devices, and removable storage), and providing a record of actions taken to ensure full revocation.
Limit Access Based on Roles: Implement the principle of least privilege, ensuring that personnel have access only to the CUI that is necessary for their specific role. This reduces the risk of accidental or intentional exposure of sensitive information.
Train Personnel on Security Policies: Ensure that all employees, including new hires and contractors, are trained on organizational security policies related to CUI, including how access is granted, monitored, and revoked.
Summary:
The Personnel Security family in NIST 800-171 Rev 2 emphasizes the importance of screening individuals before granting them access to Controlled Unclassified Information (CUI) and revoking access promptly when personnel no longer need it. By carefully managing who has access to CUI and ensuring timely revocation when roles change, organizations can reduce the risk of insider threats, unauthorized access, and potential data breaches. Proper personnel security practices are critical for maintaining the integrity and confidentiality of CUI and ensuring compliance with security regulations.