CMMC Implementation – Level 2 Personnel Security

Aug 23, 2022 | Blog

Introduction

Onboarding procedures such as background screening and reference checking are not only important before the hiring process; those requesting access to systems containing Controlled Unclassified Information should undergo an in-depth level of scrutiny. Likewise, contractors requiring access to such systems must be closely vetted.

Granting Access

Control
3.9.1Screen individuals prior to authorizing access to organizational systems containing CUI.

Before employees or contractors are entrusted with exposure to CUI, fresh background checks should be undertaken, to ensure the individual has not been involved in questionable activity since the time of his or her employment.

Unlike typical pre-employment checks that verify education, employment history, and driving records, more extensive background checks should be considered, such as a criminal history check. Multiple criminal background checks may be in order, to ensure information is gathered from county, state, and federal resources.

CUI system “onboarding” should also include managerial authorization of system access, with specific reason for access and an approximate time span the access is needed.

Terminating Access

Control
3.9.2Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.

When a system user status change is anticipated, actions may need to be completed within a manner of minutes, to protect CUI before a user that is being off-boarded has a chance to steal or sabotage information.  This is especially true if the user’s relationship with the organization is being permanently terminated.

Processes for taking immediate action to revoke user access to a CUI system can include prompt notification to the IT Team to:

  • Disable the user’s credentials to the system in question;
  • In the case of an employee permanently separating from the organization, disable the departing employee’s account in Active Directory;
  • Disable VPN and Remote Desktop access;
  • Disable access to business applications.

All requests and actions should be documented and included timestamps, action justifications, and name or initials of the team member that performed the required actions.

Need Help?

If you are an Organization Seeking Certification (OSC) and are overwhelmed by the enormity and complexity of CMMC, consider professional services to help you plan, implement, and maintain compliance and ensure uninterrupted eligibility for DoD work.

FoxGuard Solutions delivers reliable, secure and configurable solutions to solve technology and compliance challenges faced by critical infrastructure entities.  With over four decades of experience, our team focuses on delivering customized cybersecurity and compliance solutions.

Our services will help guide your organization through the Discovery, Planning, Execution and Maintenance phases necessary to allow your organization to attain Cybersecurity Maturity Model Certification (CMMC).  Our team of experts will partner with you to review existing policies, processes, procedures, and technical controls to identify any gaps with CMMC requirements.  An execution plan will be created that aligns with your needs, budget and timeline, and which outlines a recommended approach to attain CMMC.

As a Microsoft Gold Certified Partner, FoxGuard Solutions has experience in delivering both on-premise and cloud-based solutions to assist you with your compliance needs.

FoxGuard Solutions is ISO 9001 and ISO 27001 certified, and is a CMMC Registered Provider Organization

Please visit https://foxguardsolutions.com/cmmc/ for more information.