Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control
The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection:
(a) Have valid access authorizations that are demonstrated by assigned official government duties; and
(b) Satisfy [FedRAMP Assignment: (L) (M) (H) for national security clearances; a reinvestigation is required during the fifth (5th) year for top secret security clearance, the tenth (10th) year for secret security clearance, and fifteenth (15th) year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the fifth (5th) year. There is no reinvestigation for other moderate risk positions or any low risk positions].
NIST 800-53 (r4) Supplemental Guidance
Organizational information requiring special protection includes, for example, Controlled Unclassified Information (CUI) and Sources and Methods Information (SAMI). Personnel security criteria include, for example, position sensitivity background screening requirements.
NIST 800-53 (r5) Discussion
Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems.
Meets Minimum Requirement:
Ensure that individuals granted access to the system boundary have a need for that access and their assigned privilege level
Document and satisfy any specific reinvestigation criteria
Ensure personnel are cleared and indoctrinated to the highest classification level of the information to which they have access on the system and to which the Agency has designated as the level for the system
For cleared personnel, ensure that USG-mandated clearance requirements are maintained (e.g. reporting foreign travel/contacts, required training, etc.)
For FedRAMP Tailored, FedRAMP Low baseline, and FedRAMP Moderate baseline except for law enforcement levels, this means that the initial investigation is required as per the responsibility of the partnering agency but there is no requirement for reinvestigation unless “suitability issues develop”
Best Practice:
Explicitly include a review of valid access authorization and need to access in recurring account reviews
For cleared personnel, institute job rotation and mandatory vacation
Conduct periodic reevaluations of employees regardless of whether or not this reevaluation is strictly necessary for compliance
Have a defined and known process for adjudicating adverse findings
Identify conditions where rescreening may be required outside of established requirements
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Review evidence that a valid access authorization determination was made prior to granting system access (e.g. in the initial account creation ticket)
Review evidence that reinvestigation criteria - if any - have been met
Documented screening procedures for personnel
CSP Implementation Tips:
AWS: Fully inherited.
Azure: Fully inherited.
GCP: Fully inherited.
Page updated
Report abuse