The Personnel Security Domain: the upstream source of every authorization decision

What the Personnel Security Domain Is For

The Personnel Security domain establishes the human authorization basis for the CMMC environment. Its two requirements govern the pre-access screening of personnel and the protection of systems during personnel actions such as terminations, transfers, and role changes. The domain is the smallest in the standard by control count, but its output is referenced by almost every other domain that makes an authorization decision.

The practitioner reading of PS is that it is the upstream foundation of the compliance program rather than a discrete operational area. Access control authorizations trace back to personnel records. Identifier provisioning is triggered by personnel events. Physical access is granted based on personnel status. Training assignments depend on role. Audit records reference actors whose identities originated as personnel entries. When PS is weak, every dependent domain inherits unreliable authorization data, and the compliance posture of the program becomes difficult to defend.

Defense contractors preparing for CMMC Level 2 assessment frequently treat PS as an HR function rather than as a security domain. The two perspectives are not incompatible, but they are not identical. HR manages personnel for employment purposes. PS manages personnel for security purposes. The assessable evidence for PS requires visibility into personnel status from the security perspective, with integration between HR processes and the security controls that depend on them.

The Two Controls

PS.L2-3.9.1Screen Individuals

Individuals must be screened before being authorized access to organizational systems containing CUI. The control establishes pre-access vetting as a condition of authorization. The specific screening requirements are an organizational decision, typically including background check elements such as criminal history, employment verification, and reference checks. The depth of screening should be commensurate with the access level being granted, with more extensive screening for individuals who will hold privileged access. The assessable evidence includes documented screening policies, records of screening completion for each authorized individual, and the basis for any exceptions or waivers. Contractor and vendor personnel who hold authorized access fall within the screening obligation, which is a common area of oversight because organizations frequently apply screening only to direct employees.

PS.L2-3.9.2Personnel Actions

Organizational systems containing CUI must be protected during and after personnel actions such as terminations and transfers. The control addresses the security dimension of personnel lifecycle events. During a termination, access must be revoked, physical access devices must be recovered, and the systems and data the individual could reach must be protected from any actions the departing individual might take. During a transfer or role change, access authorizations must be reviewed and adjusted to match the new role rather than accumulated on top of the previous authorizations. The assessable evidence covers the timeliness and completeness of the response to personnel actions, including integration between HR processes and the security controls that depend on them. The control interacts directly with Access Control, Identification and Authentication, and Physical Protection because the authorizations governed by those domains depend on current personnel status.

Where Personnel Security Intersects with Other Domains

Personnel Security is one of the most densely connected domains in the framework despite its small control count. Its authorization decisions flow into nearly every dependent domain.

Access Control depends on PS as the upstream source of the personnel status that underlies every access decision. The list of authorized users referenced by AC.3.1.1 originates with personnel records that PS maintains. A termination triggers an AC change. A role transfer triggers an AC review. When PS events do not propagate to AC in a timely manner, stale access remains active on AC's side despite PS having updated the underlying personnel status.

Identification and Authentication depends on PS for identifier provisioning and lifecycle events. A new hire creates an identifier through a PS-triggered workflow. A termination triggers identifier disabling under IA.3.5.6. The integrity of the identifier lifecycle depends on the reliability of the PS events that feed it.

Awareness and Training depends on PS for role information that drives training assignments. AT.3.2.2 requires role-based training, and the role information originates with personnel records. When PS treats role changes as routine HR events without security-side notification, training assignments do not adjust and the AT.3.2.2 evidence fails to show training appropriate to the new role.

Physical Protection depends on PS for the authorization that physical access devices enforce. PE.3.10.1 limits physical access to authorized individuals, and the authorization originates with personnel records. PE.3.10.5 requires management of physical access devices, and the device recovery obligation depends on PS triggers at termination and transfer.

Audit and Accountability depends on PS indirectly, because audit records reference actors whose identities originated as personnel entries. When personnel records are stale or inconsistent, the actor attribution in audit records becomes harder to reconcile with current organizational reality.

Maintenance depends on PS for the authorization status that MA.3.7.6 references when distinguishing between maintenance personnel who hold required access authorization and those who do not. The supervision requirement for unauthorized maintenance personnel assumes the organization knows who holds authorization, which is a PS determination.

Common Implementation Pitfalls

Several patterns come up repeatedly in Personnel Security readiness work.

Off-boarding that takes days or weeks to complete. An employee separates, HR processes the departure, and the security-side actions (account deactivation, badge recovery, device collection) occur on a delayed timeline. During the delay, the departed individual retains access that should have been revoked at separation. The remediation requires integration between HR and security processes so that personnel actions trigger security responses immediately rather than through a multi-day workflow.

Contractor and vendor staff treated differently from employees. Screening and personnel action processes apply rigorously to direct employees and loosely to contractors, vendors, and temporary staff. The PS controls apply to everyone with authorized access to CUI systems, regardless of employment arrangement. The remediation requires extending the PS discipline to all individuals within the assessment scope.

Role changes not triggering authorization review. An employee transfers to a new role, and the access appropriate to the new role is added. The access appropriate to the old role remains in place. Over time, the individual accumulates authorizations that exceed any current role, which creates least-privilege findings in AC even though the PS events that caused the accumulation were each handled correctly in isolation. The remediation requires treating role changes as authorization review events, not just authorization addition events.

Screening limited to criminal background only. The screening process verifies criminal history but does not address employment verification, reference checks, or other indicators appropriate to the access level. For individuals who will hold privileged access or handle highly sensitive CUI, a criminal background check alone is often insufficient to satisfy the risk-commensurate standard that PS.3.9.1 implies.

No integration between HR systems and security processes. HR manages personnel records in a system that the security team does not have visibility into. Security processes rely on manual notification from HR, and notifications are inconsistent. The remediation is a documented integration between HR events and security responses, whether through automated system integration or through a documented workflow that both teams execute reliably.

Temporary personnel with permanent-level access. A contractor or temporary employee is granted the same access level as a permanent employee in a similar role. When the assignment ends, the access is not immediately revoked because the temporary status was not flagged in the authorization system. The remediation is explicit tracking of temporary authorization with scheduled expiration, rather than assuming that temporary status will be remembered and acted on at the right time.

Where to Start

For an organization new to the PS domain, the first work is the authorization map.

The foundational deliverable is a map of every individual with authorized access to CUI systems, their role, the screening status that supports the authorization, and the personnel status that keeps the authorization current. The map must cover direct employees, contractors, vendors, and any other individuals who hold authorized access. Without this map, PS.3.9.1 cannot be evidenced and PS.3.9.2 cannot be operated because the organization does not know which authorizations to adjust when personnel actions occur.

The second deliverable is the personnel action workflow. A documented process that defines what security-side actions follow from each personnel event type, who executes them, and what evidence documents completion. The workflow must produce records that show the timeliness of responses to personnel actions, which is the assessable evidence for PS.3.9.2.

With the authorization map and personnel action workflow in place, the PS domain becomes a matter of operational discipline rather than design. The controls are few, but the coordination they require between HR and security is a practical exercise that many organizations find requires ongoing attention rather than one-time setup.