SPARC

Personnel Security

Catalog: Electronic (OSCAL) Version of NIST SP 800-53 Rev 5.2.0 Controls and SP 800-53A Rev 5.2.0 Assessment Procedures | Controls: 62

← Back to Catalog

Control ID

Title / Statement

Priority

Baseline Impact

PS-01

Policy and Procedures 9 params

a. Develop, document, and disseminate to {{ insert: param, ps-1_prm_1 }}: 1. {{ insert: param, ps-01_odp.03 }} personnel security policy that: (a) Addresses purpose, scope, roles, respo...

► View parameters

Param ID	Label	Constraint / Choices
ps-1_prm_1	organization-defined personnel or roles	Organization-defined
ps-01_odp.01	personnel or roles	personnel or roles to whom the personnel security policy is to be disseminated is/are defined;
ps-01_odp.02	personnel or roles	personnel or roles to whom the personnel security procedures are to be disseminated is/are defined;
ps-01_odp.03		Select one-or-more: organization-level; mission/business process-level; system-level
ps-01_odp.04	official	an official to manage the personnel security policy and procedures is defined;
ps-01_odp.05	frequency	the frequency at which the current personnel security policy is reviewed and updated is defined;
ps-01_odp.06	events	events that would require the current personnel security policy to be reviewed and updated are defined;
ps-01_odp.07	frequency	the frequency at which the current personnel security procedures are reviewed and updated is defined;
ps-01_odp.08	events	events that would require the personnel security procedures to be reviewed and updated are defined;

—

PS-02

Position Risk Designation 1 param

a. Assign a risk designation to all organizational positions; b. Establish screening criteria for individuals filling those positions; and c. Review and update position risk designations {{ i...

► View parameters

Param ID	Label	Constraint / Choices
ps-02_odp	frequency	the frequency at which to review and update position risk designations is defined;

—

PS-03

Personnel Screening 3 params

a. Screen individuals prior to authorizing access to the system; and b. Rescreen individuals in accordance with {{ insert: param, ps-3_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
ps-3_prm_1	organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening	Organization-defined
ps-03_odp.01	conditions requiring rescreening	conditions requiring rescreening of individuals are defined;
ps-03_odp.02	frequency	the frequency of rescreening individuals where it is so indicated is defined;

—

PS-03(01)

Classified Information

Verify that individuals accessing a system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which ...

—

PS-03(02)

Formal Indoctrination

Verify that individuals accessing a system processing, storing, or transmitting types of classified information that require formal indoctrination, are formally indoctrinated for all the relevant t...

—

PS-03(03)

Information Requiring Special Protective Measures 1 param

Verify that individuals accessing a system processing, storing, or transmitting information requiring special protection: (a) Have valid access authorizations that are demonstrated by assigned of...

► View parameters

Param ID	Label	Constraint / Choices
ps-03.03_odp	additional personnel screening criteria	additional personnel screening criteria to be satisfied for individuals accessing a system processing, storing, or tr...

—

PS-03(04)

Citizenship Requirements 2 params

Verify that individuals accessing a system processing, storing, or transmitting {{ insert: param, ps-03.04_odp.01 }} meet {{ insert: param, ps-03.04_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
ps-03.04_odp.01	information types	information types that are processed, stored, or transmitted by a system that require individuals accessing the syste...
ps-03.04_odp.02	citizenship requirements	citizenship requirements to be met by individuals to access a system processing, storing, or transmitting information...

—

PS-04

Personnel Termination 2 params

Upon termination of individual employment: a. Disable system access within {{ insert: param, ps-04_odp.01 }}; b. Terminate or revoke any authenticators and credentials associated with the indiv...

► View parameters

Param ID	Label	Constraint / Choices
ps-04_odp.01	time period	a time period within which to disable system access is defined;
ps-04_odp.02	information security topics	information security topics to be discussed when conducting exit interviews are defined;

—

PS-04(01)

Post-employment Requirements

(a) Notify terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information; and (b) Require terminated individuals to sign an...

—

PS-04(02)

Automated Actions 3 params

Use {{ insert: param, ps-04.02_odp.01 }} to {{ insert: param, ps-04.02_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
ps-04.02_odp.01	automated mechanisms	automated mechanisms to notify personnel or roles of individual termination actions and/or to disable access to syste...
ps-04.02_odp.02		Select one-or-more: notify {{ insert: param, ps-04.02_odp.03 }} of individual termination actions; disable access to system resources
ps-04.02_odp.03	personnel or roles	personnel or roles to be notified upon termination of an individual is/are defined (if selected);

—

PS-05

Personnel Transfer 4 params

a. Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions w...

► View parameters

Param ID	Label	Constraint / Choices
ps-05_odp.01	transfer or reassignment actions	transfer or reassignment actions to be initiated following transfer or reassignment are defined;
ps-05_odp.02	time period following the formal transfer action	the time period within which transfer or reassignment actions must occur following transfer or reassignment is defined;
ps-05_odp.03	personnel or roles	personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organi...
ps-05_odp.04	time period	time period within which to notify organization-defined personnel or roles when individuals are reassigned or transfe...

—

PS-06

Access Agreements 2 params

a. Develop and document access agreements for organizational systems; b. Review and update the access agreements {{ insert: param, ps-06_odp.01 }} ; and c. Verify that individuals requiring a...

► View parameters

Param ID	Label	Constraint / Choices
ps-06_odp.01	frequency	the frequency at which to review and update access agreements is defined;
ps-06_odp.02	frequency	the frequency at which to re-sign access agreements to maintain access to organizational information is defined;

—

PS-06(01)

Information Requiring Special Protection

—

PS-06(02)

Classified Information Requiring Special Protection

Verify that access to classified information requiring special protection is granted only to individuals who: (a) Have a valid access authorization that is demonstrated by assigned official gover...

—

PS-06(03)

Post-employment Requirements

(a) Notify individuals of applicable, legally binding post-employment requirements for protection of organizational information; and (b) Require individuals to sign an acknowledgment of these r...

—

PS-07

External Personnel Security 2 params

a. Establish personnel security requirements, including security roles and responsibilities for external providers; b. Require external providers to comply with personnel security policies and ...

► View parameters

Param ID	Label	Constraint / Choices
ps-07_odp.01	personnel or roles	personnel or roles to be notified of any personnel transfers or terminations of external personnel who possess organi...
ps-07_odp.02	time period	time period within which third-party providers are required to notify organization-defined personnel or roles of any ...

—

PS-08

Personnel Sanctions 2 params

a. Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and b. Notify {{ insert: param, ps-08_odp.01 }}...

► View parameters

Param ID	Label	Constraint / Choices
ps-08_odp.01	personnel or roles	personnel or roles to be notified when a formal employee sanctions process is initiated is/are defined;
ps-08_odp.02	time period	the time period within which organization-defined personnel or roles must be notified when a formal employee sanction...

—

PS-09

Position Descriptions

Incorporate security and privacy roles and responsibilities into organizational position descriptions.

—

└ ps-1a

Develop, document, and disseminate to {{ insert: param, ps-1_prm_1 }}:

—

└ ps-1a.1

{{ insert: param, ps-01_odp.03 }} personnel security policy that:

—

└ ps-1a.1.(a)

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

—

└ ps-1a.1.(b)

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

—

└ ps-1a.2

Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;

—

└ ps-1b

Designate an {{ insert: param, ps-01_odp.04 }} to manage the development, documentation, and dissemination of the personnel security policy and pro...

—

└ ps-1c

Review and update the current personnel security:

—

└ ps-1c.1

Policy {{ insert: param, ps-01_odp.05 }} and following {{ insert: param, ps-01_odp.06 }} ; and

—

└ ps-1c.2

Procedures {{ insert: param, ps-01_odp.07 }} and following {{ insert: param, ps-01_odp.08 }}.

—

└ ps-2a

Assign a risk designation to all organizational positions;

—

└ ps-2b

Establish screening criteria for individuals filling those positions; and

—

└ ps-2c

Review and update position risk designations {{ insert: param, ps-02_odp }}.

—

└ ps-3.3.(a)

Have valid access authorizations that are demonstrated by assigned official government duties; and

—

└ ps-3.3.(b)

Satisfy {{ insert: param, ps-03.03_odp }}.

—

└ ps-3a

Screen individuals prior to authorizing access to the system; and

—

└ ps-3b

Rescreen individuals in accordance with {{ insert: param, ps-3_prm_1 }}.

—

└ ps-4.1.(a)

Notify terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information; and

—

└ ps-4.1.(b)

Require terminated individuals to sign an acknowledgment of post-employment requirements as part of the organizational termination process.

—

└ ps-4a

Disable system access within {{ insert: param, ps-04_odp.01 }};

—

└ ps-4b

Terminate or revoke any authenticators and credentials associated with the individual;

—

└ ps-4c

Conduct exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }};

—

└ ps-4d

Retrieve all security-related organizational system-related property; and

—

└ ps-4e

Retain access to organizational information and systems formerly controlled by terminated individual.

—

└ ps-5a

Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are r...

—

└ ps-5b

Initiate {{ insert: param, ps-05_odp.01 }} within {{ insert: param, ps-05_odp.02 }};

—

└ ps-5c

Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and

—

└ ps-5d

Notify {{ insert: param, ps-05_odp.03 }} within {{ insert: param, ps-05_odp.04 }}.

—

└ ps-6.2.(a)

Have a valid access authorization that is demonstrated by assigned official government duties;

—

└ ps-6.2.(b)

Satisfy associated personnel security criteria; and

—

└ ps-6.2.(c)

Have read, understood, and signed a nondisclosure agreement.

—

└ ps-6.3.(a)

Notify individuals of applicable, legally binding post-employment requirements for protection of organizational information; and

—

└ ps-6.3.(b)

Require individuals to sign an acknowledgment of these requirements, if applicable, as part of granting initial access to covered information.

—

└ ps-6a

Develop and document access agreements for organizational systems;

—

└ ps-6b

Review and update the access agreements {{ insert: param, ps-06_odp.01 }} ; and

—

└ ps-6c

Verify that individuals requiring access to organizational information and systems:

—

└ ps-6c.1

Sign appropriate access agreements prior to being granted access; and

—

└ ps-6c.2

Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}.

—

└ ps-7a

Establish personnel security requirements, including security roles and responsibilities for external providers;

—

└ ps-7b

Require external providers to comply with personnel security policies and procedures established by the organization;

—

└ ps-7c

Document personnel security requirements;

—

└ ps-7d

Require external providers to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess...

—

└ ps-7e

Monitor provider compliance with personnel security requirements.

—

└ ps-8a

Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and

—

└ ps-8b

Notify {{ insert: param, ps-08_odp.01 }} within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifyin...

—