Not everyone should have access to CUI. Some roles require screening before access is granted. This is a hiring gate, not a continuous check. Verify that individuals are who they say they are and screen for disqualifying factors.
What the assessor is actually evaluating
The assessor is checking: (1) Do you have a screening policy that applies to people accessing CUI? (2) Do you follow it? (3) Can you show background checks for current staff? You don’t need top-secret clearance-level vetting. You need a defensible screening process: background check, reference check, or equivalent. The depth depends on the role and risk.
The control is “prior to granting access.” That means screening happens before day one, before the person gets a network account or facility access. Personnel screening feeds into AC.L2-3.1.1 and AC.L2-3.1.2 (access control decisions) and PS.L2-3.9.2 (personnel actions when they leave).
What a realistic SSP definition looks like
All individuals granted access to CUI systems or facilities are screened prior to access. Screening includes:
- Background check via [vendor] covering criminal history, employment verification, and reference checks
- Identity verification (government ID)
- Disqualifying factors evaluation (felony convictions, pattern of dishonesty, etc.)
Screening is documented in the personnel file. Access is not granted until screening is complete. Contractors and temporary personnel undergo the same screening as employees. [Manager] is responsible for ensuring screening is completed before access provisioning.
How to present your evidence
- Screening policy document (what applies, what's checked, who does it)
- Background check reports or certificates for current personnel (one or two examples)
- Onboarding checklist showing screening as a required step
- Documentation of disqualifying factors your organization evaluates
- Records for contractors or temporary staff showing they were screened
Common failures
No screening at all. Employees start work and get access immediately. No background check, no verification. You need a screening process. Choose a vendor and do background checks.
If you use an MSP/MSSP
Contractors and MSP personnel also need screening if they access CUI. Include in your MSP agreement that personnel have been screened. Ask them for screening documentation or have them complete your screening process. Track it in your personnel records.
Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.
Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.
Q&A: What the assessor asks
Q: “Can you show me an example?" A: “[Employee] was hired in [month]. Here’s the background check report completed before they started.” [Show report (may be summarized if sensitive)]
Q: “What about contractors?" A: “Same screening. We require background checks for all personnel with CUI access, employees or contractors.”
Q: “What’s a disqualifying factor?" A: “[Your organization’s criteria]. We review for [felony convictions, pattern of dishonesty, etc.]. HR makes the final determination.”
This guide reflects CMMC Level 2 requirements as of March 2026. CMMC and NIST standards evolve. Verify current requirements with official CMMC materials and your assessor.