Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control
The organization:
a. Assigns a risk designation to all organizational positions;
b. Establishes screening criteria for individuals filling those positions; and
c. Reviews and updates position risk designations [FedRAMP Assignment: (H) at least annually, (L) (M) at least every three years].
NIST 800-53 (r4) Supplemental Guidance
Position risk designations reflect Office of Personnel Management policy and guidance. Risk designations can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements (e.g., training, security clearances). Related controls: AT-3, PL-2, PS-3.
NIST 800-53 (r5) Discussion
Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position. The PDS assessment also determines if the duties and responsibilities of the position present the potential for position incumbents to bring about a material adverse effect on national security and the degree of that potential effect, which establishes the sensitivity level of a position. The results of the assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations that individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations, establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions.
Meets Minimum Requirement:
For all positions that touch the boundary, document a Position Risk Description for that position. The position risk description should take into account:
Responsibilities
Screening Process
Information systems the position requires access to
The sensitivity level of of the information the position requires access to
Physical access to areas the position requires
Document screening criteria that applies to these positions (can be uniform)
Conduct reviews of this documentation and have some means of tracking reviews for evidence collection
Best Practice:
Use a specialized third-party to conduct personnel investigations
Review social media or other internet activity for indications of insider threat
Have specialized screening criteria for specific roles / positions (e.g. enhanced background check or technical interviews for privileged users)
Require enhanced ongoing screening or training for higher risk positions
Require higher risk positions to rotate or take mandatory vacations to reduce insider threat
OPM Position Designation Tool: https://www.opm.gov/suitability/suitability-executive-agent/position-designation-tool/
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Review documentation describing position risk
Review documentation describing the screening criteria applied to each position
Inspect evidence that screening criteria is applied (e.g. review a background check)
CSP Implementation Tips:
AWS: Fully inherited.
Azure: Fully inherited.
GCP: Fully inherited.
Page updated
Report abuse