1. Home
  2. FedRAMP
  3. PS-3

BRACKETOLOGY | FEDRAMP

PS-3: PERSONNEL SCREENING

  • FedRAMP Baseline Membership PS-3:
  • LOW
  • MODERATE
  • HIGH

FedRAMP Bracketology

Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH

Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.

Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.

To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open

Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.

The organization:

    • a. Screens individuals prior to authorizing access to the information system; and
    • b. Rescreens individuals according to [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening].

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

The organization:

    • a. Screens individuals prior to authorizing access to the information system; and
    • b. Rescreens individuals according to For national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions.

The organization:

    • a. Screens individuals prior to authorizing access to the information system; and
    • b. Rescreens individuals according to For national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions.

The organization:

    • a. Screens individuals prior to authorizing access to the information system; and
    • b. Rescreens individuals according to For national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions.

SUPPLEMENTAL GUIDANCE

Personnel screening and rescreening activities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Organizations may define different rescreening conditions and frequencies for personnel accessing information systems based on types of information processed, stored, or transmitted by the systems.

CONTROL ENHANCEMENTS

PS-3 (1) PERSONNEL SCREENING| CLASSIFIED INFORMATION

The organization ensures that individuals accessing an information system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system.

Supplemental Guidance: NONE

RELATED CONTROLS: PS-3 (1)

PS-3 (2) PERSONNEL SCREENING | FORMAL INDOCTRINATION

The organization ensures that individuals accessing an information system processing, storing, or transmitting types of classified information which require formal indoctrination, are formally indoctrinated for all of the relevant types of information to which they have access on the system.

Supplemental Guidance:

Types of classified information requiring formal indoctrination include, for example, Special Access Program (SAP), Restricted Data (RD), and Sensitive Compartment Information (SCI).

RELATED CONTROLS: PS-3 (2)

PS-3 (3) PERSONNEL SCREENING | INFORMATION WITH SPECIAL PROTECTION MEASURES
  • FedRAMP Baseline Membership PS-3 (3):
  • MODERATE
  • HIGH

The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection:

    • (a) Have valid access authorizations that are demonstrated by assigned official government duties; and
    • (b) Satisfy [Assignment: organization-defined additional personnel screening criteria].

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.

The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection:

  • (a) Have valid access authorizations that are demonstrated by assigned official government duties; and
  • (b) Satisfy personnel screening criteria — as required by specific information.

The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection:

  • (a) Have valid access authorizations that are demonstrated by assigned official government duties; and
  • (b) Satisfy personnel screening criteria — as required by specific information.

Supplemental Guidance:

Organizational information requiring special protection includes, for example, Controlled Unclassified Information (CUI) and Sources and Methods Information (SAMI). Personnel security criteria include, for example, position sensitivity background screening requirements.

REFERENCES:

  • 5 C.F.R. 731.106
  • FIPS Publication 199
  • FIPS Publication 201
  • ICD 704
  • NIST Special Publication 800-60
  • NIST Special Publication 800-73
  • NIST Special Publication 800-76
  • NIST Special Publication 800-78