1. Home
  2. FedRAMP
  3. PS-5

BRACKETOLOGY | FEDRAMP

PS-5: PERSONNEL TRANSFER

  • FedRAMP Baseline Membership PS-5:
  • LOW
  • MODERATE
  • HIGH

FedRAMP Bracketology

Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH

Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.

Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.

To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open

Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.

The organization:

    • a. Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;
    • b. Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action];
    • c. Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and
    • d. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period].

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

The organization:

  • a. Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;
  • b. Initiates [Assignment: organization-defined transfer or reassignment actions] within organization-defined time period following the formal transfer action;
  • c. Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and
  • d. Notifies organization-defined personnel or roles within within five days of the formal transfer action (DoD 24 hours).

The organization:

  • a. Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;
  • b. Initiates [Assignment: organization-defined transfer or reassignment actions] within organization-defined time period following the formal transfer action;
  • c. Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and
  • d. Notifies organization-defined personnel or roles within within five days of the formal transfer action (DoD 24 hours).

The organization:

  • a. Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;
  • b. Initiates organization-defined transfer or reassignment actions within twenty-four (24) hours;
  • c. Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and
  • d. Notifies organization-defined personnel or roles within twenty-four (24) hours.

SUPPLEMENTAL GUIDANCE

This control applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include, for example: (i) returning old and issuing new keys, identification cards, and building passes; (ii) closing information system accounts and establishing new accounts; (iii) changing information system access authorizations (i.e., privileges); and (iv) providing for access to official records to which individuals had access at previous work locations and in previous information system accounts.

CONTROL ENHANCEMENTS

NO CONTROL ENHANCEMENTS

REFERENCES:

  • NO REFERENCES