CMMC Deep Dive: Personnel Security (PS)

This article is part of our series on The 14 CMMC Domains.

The Personnel Security (PS) domain focuses on minimizing the risks that employees, contractors, and other personnel pose to the organization before, during, and after their employment.

Why It Matters

Insider threats, whether malicious or unintentional, are a significant cause of security breaches. This domain ensures that individuals are trustworthy before being granted access and that access is promptly removed upon departure.

Key Practices

• PS.L2-3.9.1: Screen individuals prior to authorizing access to systems containing CUI.
• PS.L2-3.9.2: Protect CUI during and after personnel actions such as terminations and transfers.

What Assessors Look For

• A documented personnel screening policy.
• Evidence that screening is performed for relevant positions.
• Formal, documented procedures for employee onboarding (joiners), transfers (movers), and terminations (leavers).
• Checklists or records demonstrating that access was revoked and assets were returned upon employee departure.