NIST SP 800-171 Rev 2 requirement 3.9.1 mandates that organizations screen individuals prior to authorizing access to organizational systems that process, store, or transmit CUI. Screening must be consistent with applicable federal laws, Executive Orders, directives, regulations, policies, and standards — which for defense contractors typically includes background investigations appropriate to the sensitivity of the information and the role. The practice establishes a trustworthiness baseline for every person who will interact with CUI-bearing systems, whether as a full-time employee, part-time staff, contractor, or privileged user. Screening activities may include criminal background checks, employment verification, reference checks, and for classified environments, formal security clearance adjudication. The depth of screening should be commensurate with the level of access granted and the sensitivity of the CUI involved.
Where it stops · what it isn't
- —Does not govern ongoing monitoring or continuous vetting of personnel after initial access authorization — that is addressed by broader personnel security programs and PS-L2-3.9.2
- —Does not address the termination or transfer of personnel access rights, which is covered by PS-L2-3.9.2
- —Does not specify particular background check vendors or investigation service levels beyond consistency with applicable law and policy
- —Does not apply to physical-only access to facilities unless those facilities also involve access to CUI-bearing systems
- —Does not replace or substitute for formal security clearance processes required under classified programs governed by DCSA
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFdomain/personnel-security