The CMMC version 0.7 (draft) has the following security requirement.
CMMC Personnel Security (PS) P1127 (Level 2)
“Screen individuals prior to authorizing access to organizational systems containing Federal Contract Information.”
This is a Level 2 requirement. There are no level 3, 4, or 5 requirements in this draft version of the CMMC. Systems containing CUI and highly sensitive CUI would need to comply with this too, but I am surprised that there is no additional requirement for the higher levels.
The CMMC document included a discussion from NIST SP 800-171 R2 (3.9.1) for this same security requirement in the appendix (page C-51) to clarify this control. It recommends evaluating the individual’s “conduct, integrity, judgement, loyalty, reliability, and stability” before giving access to systems with CUI.
How do we evaluate conduct, integrity, judgement, loyalty, reliability, and stability?
Loyalty is a key statement. At level 3+ we start talking about CUI, which could be used to harm the United States if disclosed. Evaluation of loyalty at the higher levels of CMMC should probably be similar to how we do clearances.
Is the individual a United States citizen? That counts for a lot. People tend to be loyal to their nation by default. I’d also consider whether they have close family and friends who are citizens of a different country, especially if that country competes heavily against the US.
It isn’t by chance that high security cloud vendors like Office 365 GCC High or AWS GovCloud require their administrators to be US citizens.
Disclaimer: This article is my own opinion. Use all available sources of information (especially the official ones!) when you are making decisions about security.
Please assist by commenting with your thoughts and experiences. Any links to official guidance would be very much appreciated!
Remember that you can talk this through with your contracting officer on the government side.
Conduct and integrity – background checks and references
A criminal background check is a good evaluation for past conduct and integrity, but it isn’t fail safe. This only tells you whether they have been caught performing a misdemeanor or felony. Do any of your employees steal K-cups or load up on office supplies for their home? Does HR talk to references and specifically ask them about integrity during the recruitment process? They should, especially at higher levels of CMMC.
What quality is your background check? Performing any background check will probably be probably fine at levels 1 or 2.
For CMMC 3, 4, and 5: If your contract employees go through a NACLC background investigation when they start work at a federal site, you might want to consider an equivalent service (FBI database + credit check + local agency search) for other staff that access the CUI network, particularly ones with privileged access.
Reliability and credit checks
Some companies perform a credit check since this gives information about reliability. Low credit scores in an older adult can indicate carelessness and a lack of responsibility. Insider threat risk is higher from someone who feels a lot of pressure about money.
Low credit scores are to be expected from an individual in their 20’s. Or the individual might have gone into debt due to serious illness, which is the cause of 46% of bankruptcies. So be careful about disqualifying candidates based entirely on credit score.
Judgement and stability – drug screening and illness
Judgement and stability in my opinion relate to whether the individual will mishandle sensitive information. For example, will they use an easy to guess password, copy sensitive information onto their home computer, or boast about the company’s new weapon system in mixed company? Risk factors for this are drug use (including legal ones like painkillers) and mental illness.
I’ve known two people who, because of illness, started having judgement problems while they were working. One of them had to be pulled from a project with secret data after they tried to bring work home. Will your HR department proactively contact IT to remove access if coworkers complain?
Marijuana use is still a federal crime, even if your state has legalized it. Both the military and federal agencies have zero-tolerance policies against their people using it. Marijuana use, even medical marijuana, is a red flag on a security clearance review.
Possible actions: Policy-wise, if the job function requires access to CUI, disallow hiring of anyone with a medical marijuana license. If an employee needs to start using marijuana, move them to a role that has no access to CUI. Consider periodic drug testing in regions where recreational marijuana use is legal.
I’d encourage you to talk with your HR legal consult and contracting officer about this topic, especially if your employees are in a state that has legalized marijuana.
Next, the CMMC example says to “follow the appropriate laws, policies, regulations, and criteria for the level of access required for each position.”
What policies, regulations, and criteria is P1127 talking about?
At CMMC level 1 and 2, I don’t know of anything specific to FCI that we have to worry about. (Please comment if you know of something). Your contract might have requirements for personnel screening.
Certain types of CUI require additional screening before granting access. An example is Unclassified Controlled Nuclear Information (UCNI), in which only Authorized Individuals are allowed to grant routine access to the data.
I don’t know of any specific guidance for private sector system admin staff. On the DoD side, they consider admin staff to be more risky than regular users, so they have higher requirements for both clearances and cyber-security training.
One example is the DoD Cyber Workforce Management Program and DoD 8570. Personnel performing information assurance (system administration, development, cybersecurity, and other admin roles) are required to pass certification tests. These tests measure cybersecurity knowledge and technical proficiency. In practice, this helps IT staff 1) know what exploits exist and how to strengthen systems against them, and 2) how to do their job so that they don’t break the system by misconfiguring it.
8570 certifications are a requirement for managing DoD networks, so it doesn’t directly apply to CMMC and contractor networks, but I would encourage you to think about it for your admin staff, especially if your CMMC level is 4 or 5.
Will the screening requirements for CMMC get harder?
So far the CMMC requirement for personnel screening is easy to comply with for most companies. The example for Level 2 simply recommends background checks and drug testing.
I’d like to think that level 4 and level 5 will have higher personnel screening requirements, such as being US citizens, but in practice this is hard to do. We need the best talent to develop new solutions for our military, even if they weren’t born in the US. So I understand why the CMMC stops at Level 2 for this control.
I hope this discussion about P1127 and personnel screening was helpful to you
Please join the conversation with your experiences!
I would greatly appreciate comments with links to official screening requirements for CUI, Federal Contract Information (FCI), Unclassified Controlled Nuclear Information (UNCI), International Traffic in Arms Regulations (ITAR), etc! I’ll update the article with them.
Links for CUI personnel screening criteria and regulations
Department of Energy, (guidance for Unclassified Controlled Nuclear Information (UCNI))
Department of Energy, 10 CFR Part 1017 (Unclassified Controlled Nuclear Information UNCI) search for 1017.19