Mapped to NIST 800-171 Requirement: 3.9.1
CMMC Assessment Objective: PS.L2-3.9.1
What This Control Means
You must ensure individuals are properly screened (e.g., background checks, employment verification, security clearances) before granting them access to organizational systems that handle CUI.
Screening should confirm the individual:
• Is trustworthy
• Has no disqualifying history (e.g., fraud, data misuse)
• Is cleared by internal policies, contract requirements, or government regulations
Why It Matters
Failing to screen personnel can result in:
• Insider threats
• Unauthorized access to sensitive systems
• Reputational and legal consequences if an unvetted individual mishandles CUI
• Non-compliance with DFARS, NIST 800-171, or contractual security clauses
This control is the first gatekeeper in your access control strategy.
How to Implement It
1. Define Screening Requirements in Policy
• Align with federal guidelines (e.g., NIST SP 800-53, DoD clearance requirements)
• Include role-based requirements (e.g., standard checks vs. government suitability checks)
2. Apply Screening to All CUI-Access Roles
• Include full-time employees, contractors, MSPs, or other third-party access holders
3. Document the Screening Process
• Maintain records of:
◦ Background checks
◦ Reference checks
◦ Citizenship or employment eligibility verification
◦ Signed NDAs or confidentiality agreements
4. Verify Before Access Is Granted
• Access to CUI systems must only occur after screening is complete
• Delay account creation or onboarding until screening clears
5. Re-screen When Necessary
• On role change, contract renewal, or after long periods of inactivity
Evidence the Assessor Will Look For
• Personnel security or onboarding policies
• Screening criteria tied to access levels or job functions
• Background check records or vendor screening attestations
• User provisioning documentation showing screening occurred before access
• Signed acknowledgments of policies or NDAs
Common Gaps
• Screening occurs after access is granted
• No screening for contractors or temporary staff
• Incomplete background check documentation
• No link between HR processes and IT account creation
How Cuick Trac Helps
Cuick Trac supports this requirement by:
• Integrating personnel screening with account provisioning workflows
• Requiring confirmation of background checks before user access is allowed
• Tracking user onboarding tasks and signed policy acknowledgments
• Linking user roles to screening levels and storing verification logs
• Supporting compliance documentation for assessments or audits
With Cuick Trac, no one touches CUI unless they’re cleared to do so.
Final CTA
Trust is earned—and verified.
Schedule a Cuick Trac demo to enforce screening requirements and keep unauthorized users out of your CUI systems.