Doc:NIST SP 800-53Ar1 Appendix F/Enhanced/PS

Template:Doc:NIST SP 800-53r3 Appendix F/PS-1

Determine if: (i) the organization develops and formally documents personnel security policy; (ii) the organization personnel security policy addresses: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; and compliance; (iii) the organization disseminates formal documented personnel security policy to elements within the organization having associated personnel security roles and responsibilities; (iv) the organization develops and formally documents personnel security procedures; (v) the organization personnel security procedures facilitate implementation of the personnel security policy and associated personnel security controls; and (vi) the organization disseminates formal documented personnel security procedures to elements within the organization having associated personnel security roles and responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Personnel security policy and procedures, other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].

Determine if: (i) the organization defines the frequency of personnel security policy reviews/updates; (ii) the organization reviews/updates personnel security policy in accordance with organization-defined frequency; and (iii) the organization defines the frequency of personnel security procedure reviews/updates; (iv) the organization reviews/updates personnel security procedures in accordance with organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Personnel security policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/PS-2

Determine if: (i) the organization assigns a risk designation to all positions within the organization; (ii) the organization establishes a screening criteria for individuals filling organizational positions; (iii) the organization defines the frequency of risk designation reviews and updates for organizational positions; and (iv) the organization reviews and revises position risk designations in accordance with the organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Personnel security policy; procedures addressing position categorization; appropriate codes of federal regulations; list of risk designations for organizational positions; security plan; records of risk designation reviews and updates; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/PS-3

Determine if: (i) the organization screens individuals prior to authorizing access to the information system; (ii) the organization defines conditions requiring re-screening and, where re-screening is so indicated, the frequency of such re-screening; and (iii) the organization re-screens individuals according to organization-defined conditions requiring re-screening and, where re-screening is so indicated, the organization-defined frequency of such re-screening.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Personnel security policy; procedures addressing personnel screening; records of screened personnel; security plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/PS-3/1

Determine if: (i) the organization ensures that every user accessing an information system processing, storing, or transmitting classified information is cleared to the highest classification level of the information on the system; and (ii) the organization ensures that every user accessing an information system processing, storing, or transmitting classified information is indoctrinated to the highest classification level of the information on the system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Personnel security policy; procedures addressing personnel screening; records of screened personnel; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/PS-3/2

Determine if the organization formally indoctrinates every user accessing an information system that processes, stores, or transmits types of classified information requiring formal indoctrination for all of the relevant types of information on the system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Personnel security policy; procedures addressing personnel screening; records of screened personnel; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/PS-4

Determine if: (i) the organization terminates information system access upon termination of individual employment; (ii) the organization conducts exit interviews of terminated personnel; (iii) the organization retrieves all security-related organizational information system-related property from terminated personnel; and (iv) the organization retains access to organizational information and information systems formerly controlled by terminated personnel.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Personnel security policy; procedures addressing personnel termination; records of personnel termination actions; list of information system accounts; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/PS-5

Determine if: (i) the organization reviews logical and physical access authorizations to information systems/facilities when personnel are reassigned or transferred to other positions within the organization; (ii) the organization defines the transfer or reassignment actions and the time period within which the actions must occur following formal transfer or reassignment; and (iii) the organization initiates the organization-defined transfer or reassignment actions within an organization-defined time period following formal transfer or reassignment.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Personnel security policy; procedures addressing personnel transfer; security plan; records of personnel transfer actions; list of information system and facility access authorizations; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/PS-6

Determine if: (i) the organization identifies appropriate access agreements for individuals requiring access to organizational information and information systems; (ii) individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access; (iii) the organization defines the frequency of reviews/updates for access agreements; and (iv) the organization reviews/updates the access agreements in accordance with the organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Personnel security policy; procedures addressing access agreements for organizational information and information systems; security plan; access agreements; records of access agreement reviews and updates; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/PS-6/1

Determine if the organization grants access to information with special protection measures only to individuals who: have a valid access authorization that is demonstrated by assigned official government duties; and satisfy associated personnel security criteria.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Personnel security policy; procedures addressing access agreements for organizational information and information systems; access agreements; access authorizations; personnel security criteria; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/PS-6/2

Determine if the organization grants access to classified information with special protection measures only to individuals who: have a valid access authorization that is demonstrated by assigned official government duties; satisfy associated personnel security criteria; and have read, understood, and signed a nondisclosure agreement.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Personnel security policy; procedures addressing access agreements for organizational information and information systems; access agreements; access authorizations; personnel security criteria; signed nondisclosure agreements; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/PS-7

Determine if: (i) the organization establishes personnel security requirements, including security roles and responsibilities, for third-party providers (ii) the organization documents personnel security requirements for third-party providers; and (iii) the organization monitors third-party provider compliance with personnel security requirements.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Personnel security policy; procedures addressing third-party personnel security; list of personnel security requirements; acquisition documents; compliance monitoring process; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities; third-party providers].

Template:Doc:NIST SP 800-53r3 Appendix F/PS-8

Determine if the organization employs a formal sanctions process for personnel failing to comply with established information security policies and procedures.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Personnel security policy; procedures addressing personnel sanctions; rules of behavior; records of formal sanctions; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities].