PS.L3-3.9.2e Adverse Information

Ensure that organizational systems are protected if adverse information develops or is obtained about individuals with access to CUI.

Source: NIST SP 800-172 3.9.2e

Discussion: If adverse information develops or is obtained about an individual with access to CUI which calls into question whether the individual should have continued access to systems containing CUI, actions are taken (e.g., preclude or limit further access by the individual, audit actions taken by the individual) to protect the CUI while the adverse information is resolved.

Assessment Objectives:

Determine if:

Examine: [SELECT FROM: Personnel security policy; system and services acquisition policy; procedures addressing personnel screening; records of screened personnel; enterprise architecture documentation; system design documentation; system architecture and configuration documentation; security plan; list of individuals who have been identified as posing an increased level of risk; list of appropriate access authorizations required for system personnel; personnel screening criteria and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel responsible for personnel security; organizational personnel responsible for information security; organizational personnel responsible for system and services acquisition; organizational personnel responsible for personnel screening].

Test: [SELECT FROM: Organizational processes for personnel screening; mechanisms supporting personnel screening].

SPRS Score: 1

POA&M Allowed: Yes