Securing Access Unlocking Personnel Screening

Eric Marquette

Hey everyone, welcome back to CMMC Unlocked. I'm Eric, and as always, I'm here with Paul and Roz. Today, we're diving into a crucial piece of the compliance puzzle—personnel security requirements for CMMC Level 2. If you caught our last episode on physical security, this is really the flip side: not just who can physically walk into your facility, but who has the keys—digitally and otherwise—to your CUI. So, let's start at the top. Personnel Security, or PS, in NIST SP800-171 zeroes in on two main areas: one, screening individuals before they're given access to systems that house Controlled Unclassified Information—that's 3.9.1—and two, making sure those systems and that data stay protected anytime someone's role changes, like terminations or internal transfers, which is 3.9.2.

Paul Netopski

Right, and if you actually look at how this gets enforced at the organizational level, that screening has to happen before the person ever touches anything CUI-related. It's not just best practice, it's audit evidence. The example Personnel Security Policy, for example, specifically requires background screening—plus those USCIS I-9 and E-Verify checks—for not just hires, but any contractors or consultants that might end up with access. And all that documentation lives in HR, so it's accounted for if you're ever asked during an assessment. The expectation is that you'll have proof of screening before onboarding a new user to systems with CUI. Miss that step, and you could be out of compliance, period.

Roz the Rulemaker

Absolutely, Paul. And the logic behind this is pretty straightforward—CUI isn't just ordinary company data—it's covered by federal regulation, so anyone with access should be vetted to ensure they're trustworthy and eligible. The CMMC Level 2 controls make this explicit. It's not just "Did you run a background check?"—there's an expectation that you have a documented process that aligns with NIST SP800-171A objectives as well. That often means your policy and your process have to be aligned with what the assessor will look for, right down to document retention, and even approval flows.

Eric Marquette

Yeah, and let me just add—coming from the media world, the way we did "vetting" when I started at my first TV network was basically, "Can this person write a good script and not make us look bad?" I mean, the bar was lower. I remember onboarding designers, IT folks, producers—we’d check references, maybe ask for a portfolio, sometimes run a criminal background, but that was about it. In defense, especially with CUI, it's a whole other level. You have to satisfy legal requirements, plus track every approval and every person's access. The differences are huge. In the creative industries it felt like a handshake; in CMMC it's a paper trail that's got to withstand audit scrutiny.

Paul Netopski

That's a great comparison, Eric. Actually, even the example policy—every access, every screening, logged and reviewed before account creation. And you have to protect those systems during terminations or transfers, not after the fact. The key is coordination: HR, IT, security, managers, everyone has a job to play. If there's a gap, that's how you end up with someone who should have lost access still poking around in sensitive systems.

Roz the Rulemaker

It's also critical from a rulemaking perspective—if the organization can't demonstrate its screening and offboarding policy is comprehensive and enforced, it's a major red flag. Think back to the False Claims Act cases we covered a few episodes ago. Even process gaps—like missing a single offboarding ticket—can trigger substantial penalties under federal compliance standards. That’s why the requirements are so prescriptive here.

Eric Marquette

So let's get into the "how"—because I know we're getting questions from listeners about the practical side. What are the actual steps for personnel screening and documented access approval? Paul, you want to walk us through what this looks like?

Paul Netopski

Yeah, definitely. The actual flow, based on example customer documentation, is pretty standardized, and mirrors what you’d expect for defense contractors. First, HR kicks off the process—a new user needs access, so HR fills out a New User Authorization Form and submits it to IT. The key detail is that this form doesn’t just ask for name and start date—it captures what systems, apps, or physical areas require access, and it specifically calls out if CUI is involved.

Roz the Rulemaker

And then before any accounts get created, there’s a formal approval. The manager reviews and signs off—that’s your check for business need. Meanwhile, HR is making sure all background screening and annual CUI training boxes are checked. So, it’s not enough to pass a background—there’s documented verification of everything: screening, training, and no active HR flags or disciplinary actions. Only after that do IT and Security step in to actually provision system and facility access. And every single thing gets logged—in the Access Inventory, as well as in the ticketing system, for audit purposes.

Paul Netopski

Exactly, Roz. And this whole workflow directly supports broader access control requirements, like AC.L1-3.1.1 and IA.L1-3.5.1. The idea is you can only access what you’re specifically authorized for and that you can be confidently identified, because the onboarding, approval, and provisioning steps are all documented and cross-checked. Now, here’s an example—years ago, I saw a situation where a contractor was supposed to be moved to a new project, but there was a paperwork delay. Their CUI permissions weren't pulled for a couple days. Luckily, because the IT department followed the documented procedure and checked every time, it was flagged before the person had any unsanctioned access. If that access review step had been skipped, you could easily end up with unauthorized exposure of CUI.

Eric Marquette

That’s a good real-world example—those access reviews are more than box-checking, they really are your last line of defense before something serious slips through. And these offboarding and transfer procedures? They're just as important. When HR notifies IT of a departure, all system accounts and credentials must be terminated inside that 24-hour window. If it's a transfer, the process is: revoke prior access rights, and only reinstate what’s needed after management approval and revalidation. And—this is something I didn't realize until I read these checklists—every asset, every badge, physical or logical access, needs to be tracked, with documentation stored for audits. The paper trail doesn’t end till final review and sign-off.

Roz the Rulemaker

Exactly. Those checklists are essential evidence for auditors, like when demonstrating compliance with CMMC 2.0 Level 2 or NIST 800-171A criteria. Every control whether it’s “screened,” “established,” “terminated,” or “protected,” links directly back to the documented steps you just described. If you can’t produce the form or the log, it might as well not have happened from an assessor’s point of view.

Eric Marquette

Now here’s a question we get a lot: Is this basic employment screening the same as the federal government’s background investigation? I’ll be honest, I always mix this up. Roz, what’s actually expected, say, if you’ve got a new hire who used to work for, let’s say, a federal agency—does their clearance count, or do you redo everything from scratch?

Roz the Rulemaker

Great question, Eric. There’s actually a clear difference outlined in both DCSA guidance and NIST materials. “Screening” for CMMC/NIST means your organization’s process to check that someone is who they claim to be and doesn’t pose a risk before granting CUI access. This usually means background checks, reference verification, I-9 completion, and in some cases, criminal or credit checks—pretty standard stuff. A formal federal background investigation, however, is a much more rigorous process—think Security Clearances handled by DCSA or OPM—often involving interviews, national agency checks, and ongoing monitoring. Now, NIST guidance allows that, if a person already holds the appropriate federal clearance and has been recently vetted, that may satisfy or even supplement your own screening requirements. But, and it’s a big ‘but,’ you need documentation and must still verify there aren’t new risk factors since their last investigation.

Paul Netopski

Yeah, and in practice, the CMMC 2.0 Level 2 requirements don’t demand every CUI user gets a Secret or TS clearance, but the organization does have to show it’s done its due diligence. I’ve seen DoD subcontractors who accept a prior federal clearance as evidence of adequate screening, but only if it’s up to date and relevant for the current duties. For example, if Sally’s last investigation was three years ago and there’s no record of adverse findings since, you’d probably be good, as long as you still log your own onboarding steps and check for any new issues. And honestly, if your documentation shows the rationale—“approved based on valid prior clearance”—that’s usually compliant as long as it’s defensible during audit.

Roz the Rulemaker

And this is where compliance can get a little murky. What counts as “adequate” screening depends on both your internal policy and the scope of the user’s access. If your Acceptable Use Policy says prior clearances are valid, and you’ve got HR sign-off and a manager’s approval, you’re probably safe. Where organizations get into trouble is accepting outdated or informal vetting, or skipping procedural steps because “they used to work for a federal agency”—that just doesn’t cut it without the paperwork.

Eric Marquette

Sounds like the safe route is: document everything, don’t make assumptions, and keep a tight audit trail, whether it’s your own checks or accepting a federal clearance. It’s a lot to juggle, but it’s better than explaining to an assessor—or worse, a regulator—why you can’t prove you followed policy.

Paul Netopski

Exactly. I might just add—if you keep your procedure straightforward, map it to the requirements, and never shortcut either screening or offboarding, you’ll stay out of trouble with both CMMC and the feds. And if you’re in doubt, get a second opinion before you sign off on access.

Roz the Rulemaker

That’s a wrap for today’s episode. We covered why CUI access vetting matters, the nuts and bolts of onboarding and offboarding, and the fine print around federal background investigations. If you want a checklist for your own organization or have burning compliance questions, reach out or listen in next time. Paul, Eric, great insights as always.

Eric Marquette

Had a blast, you two. Thanks for keeping it real—Roz, Paul, always a pleasure. And thanks to everyone for joining us on CMMC Unlocked. We’ll see you next episode—don’t forget to keep your documentation tight and your questions coming.

Paul Netopski

Thanks Roz, thanks Eric—looking forward to our next deep dive. Stay secure out there.