PS.L2-3.9.1

PS.L2-3.9.1: Screen Individuals

Conduct screening of individuals prior to granting access to systems or facilities containing CUI.

Not everyone should have access to CUI. Some roles require screening before access is granted. This is a hiring gate, not a continuous check. Verify that individuals are who they say they are and screen for disqualifying factors.

Family Personnel Security
Practice PS.L2-3.9.1
Difficulty Medium
Key evidence Screening policy, background check reports, onboarding records

What the assessor is actually evaluating

The assessor is checking: (1) Do you have a screening policy that applies to people accessing CUI? (2) Do you follow it? (3) Can you show background checks for current staff? You don’t need top-secret clearance-level vetting. You need a defensible screening process: background check, reference check, or equivalent. The depth depends on the role and risk.

The control is “prior to granting access.” That means screening happens before day one, before the person gets a network account or facility access. Personnel screening feeds into AC.L2-3.1.1 and AC.L2-3.1.2 (access control decisions) and PS.L2-3.9.2 (personnel actions when they leave).

What a realistic SSP definition looks like

PS.L2-3.9.1 Screening Prior to Access

All individuals granted access to CUI systems or facilities are screened prior to access. Screening includes:

  • Background check via [vendor] covering criminal history, employment verification, and reference checks
  • Identity verification (government ID)
  • Disqualifying factors evaluation (felony convictions, pattern of dishonesty, etc.)

Screening is documented in the personnel file. Access is not granted until screening is complete. Contractors and temporary personnel undergo the same screening as employees. [Manager] is responsible for ensuring screening is completed before access provisioning.

How to present your evidence

Gather these items:
  • Screening policy document (what applies, what's checked, who does it)
  • Background check reports or certificates for current personnel (one or two examples)
  • Onboarding checklist showing screening as a required step
  • Documentation of disqualifying factors your organization evaluates
  • Records for contractors or temporary staff showing they were screened
Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Q: "How do you screen people before they access CUI?" A: "We do a background check through [vendor]. It covers criminal history, employment, and references. Screening is completed before access is granted." [Pull up screening policy]

Q: “Can you show me an example?" A: “[Employee] was hired in [month]. Here’s the background check report completed before they started.” [Show report (may be summarized if sensitive)]

Q: “What about contractors?" A: “Same screening. We require background checks for all personnel with CUI access, employees or contractors.”

Q: “What’s a disqualifying factor?" A: “[Your organization’s criteria]. We review for [felony convictions, pattern of dishonesty, etc.]. HR makes the final determination.”

Common failures

No screening at all. Employees start work and get access immediately. No background check, no verification. You need a screening process. Choose a vendor and do background checks.
Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

Screening after access granted. You hire someone, grant access day one, and run a background check later. Screening must happen before access. Change your onboarding to screen first.
Inconsistent screening. You screened employees but not contractors. All personnel with CUI access need screening. Include contractors and temporary staff in your policy.
You're good here. You have a screening policy that applies to all personnel with CUI access. Background checks are completed before access is granted. You can show recent examples from hire records. Assessors verify the policy is followed and move on.

What screening looks like in practice

Most organizations use a third-party vendor for background checks. Popular options include Sterling, Clarity, or similar. You complete a form, the vendor runs the check, you get a report. Most take 3-5 business days.

For your policy, define:

  • Who requires screening: Anyone with access to CUI systems or data
  • What’s checked: Criminal history, employment verification, references (at minimum)
  • What’s disqualifying: Felony convictions, pattern of dishonesty, etc. (you decide)
  • Who approves: Usually HR or the hiring manager
  • Documentation: The check report goes in the personnel file

Add a step to your onboarding: “Screening complete” is a gate before access provisioning.

If you use an MSP/MSSP

Contractors and MSP personnel also need screening if they access CUI. Include in your MSP agreement that personnel have been screened. Ask them for screening documentation or have them complete your screening process. Track it in your personnel records.

This guide reflects CMMC Level 2 requirements as of March 2026. CMMC and NIST standards evolve. Verify current requirements with official CMMC materials and your assessor.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← PS.L2-3.9.2: Personnel Actions All Practices MP.L2-3.8.9: Protect Backups →