CMMC NUGGET #6

Managing Insider Threats with Personnel Security

CMMC Level 2 contains two PS controls. They are simple in concept and frequently underimplemented in practice.

Before granting any individual access to systems containing CUI, your organization must conduct a documented screening process. What this should look like in practice:

• Background checks appropriate to the sensitivity of the access being granted
• Employment history verification for new hires
• Security clearance confirmation (where applicable) Note that while holding a clearance satisfies screening requirements for cleared personnel, uncleared personnel accessing CUI still require a documented screening process
• A defined policy specifying what screening is required for specific roles and access levels

Assessor Reality Check: Assessors look for a documented screening policy and evidence that it was followed. Saying “We always do background checks” without a written policy and records to support it is an assessment finding.

This is one of the highest-risk controls in the PS family. The window between an employee’s last day and the revocation of their access is when insider threat incidents most commonly occur.

For terminations:

• Access to all systems must be revoked immediately upon termination. Not at end of the week, not after IT gets around to it
• Company-issued devices must be recovered and/or wiped before or at the time of separation
• Physical access credentials (keycards, badges, biometric enrollments) must be deactivated simultaneously with logical access
• A documented offboarding checklist with timestamps can provide the evidence assessors expect

For transfers and role changes:

• Access rights must be updated to reflect the new role before or immediately upon transition
• If the new role requires changes to access, the departing role’s accesses must be removed. Organizations cannot simply add access for the new role without cross-referencing what is required
• Periodic access reviews (required under AC.L2-3.1.2) catch cases where role-change access cleanup was missed

Assessor Reality Check: Assessors will ask to see your offboarding process and may request evidence of recent terminations. A checklist with no completion records, or a process that relies on informal coordination between HR and IT, will not satisfy this control.

The following controls directly support insider threat mitigation and are assessed under their respective control families in your SSP.

Separation of duties (SoD) ensures that no single individual has end-to-end control over a sensitive process. In a defense contractor context, practical examples include:

• The person who requests system access should not be the same person who approves it
• The person who manages CUI should not be the same person who controls audit logs for that system
• The person who submits SPRS scores should not be the same person who conducts the underlying self-assessment

Small organization reality: SoD is genuinely challenging for small teams. Where true separation is not possible due to staffing constraints, document the limitation, implement compensating controls (such as enhanced monitoring and management review), and capture it in your SSP. Assessors understand the constraint, what they are unable to accept is an organization that hasn’t thought about it or documented the practical limitation.

Every user should have the minimum access necessary to perform their job or jobs, nothing more. Implementation requires:

• Role-based access controls (RBAC) with access tied to job function, not seniority or convenience
• Privileged accounts (domain admins, system admins, security tool access) restricted to the minimum number of individuals operationally required
• Privileged accounts used only for privileged functions. In other words, administrators should have separate standard accounts for their day-to-day work
• Regular access reviews to confirm that access still matches current job responsibilities

Configuring systems to lock accounts after a defined number of failed login attempts prevents brute force and credential stuffing attacks. Implementation considerations:

• Define a specific threshold in policy. Five attempts is a widely adopted industry-accepted standard
• Configure the lockout in the actual system to match the documented policy
• Require administrator involvement to unlock accounts. This creates a review opportunity to detect repeated suspicious activity
• Document exceptions (service accounts, automated processes) and the compensating controls that apply to them

Your organization must have a documented process ensuring that CUI is never inadvertently published to public-facing systems (websites, social media, public file sharing, or any other externally accessible platform). Key requirements:

• A defined approval process before any content is published externally
• Only authorized personnel permitted to publish content
• Regular review of existing public content for inadvertent CUI exposure
• Explicit policy addressing social media, press releases, and public-facing portals

Removable media (USB drives, external hard drives, SD cards) are one of the simplest and most effective exfiltration vectors for insider threats. Controls include:

• Disable USB ports on all endpoints within the CUI environment by default using endpoint management or group policy
• Maintain an approved media list consisting of only company-issued, encrypted, and registered devices permitted as exceptions
• Document the approval process for exceptions and log authorized use
• Enforce through technical controls, not just policy. A policy prohibiting USB use that isn’t technically enforced is not a valid control

This control closes a specific gap that 3.8.7 leaves open, the unknown device. Any portable storage device that cannot be traced to an identified, authorized owner must be prohibited. Implementation:

• All authorized portable storage must be labeled and registered to a specific individual
• Endpoint security software should automatically block unregistered devices
• A process must exist for handling discovered unidentified media that potentially includes a forensic review before any connection to organizational systems

With telework now standard across the Defense Industrial Base (DIB), this control addresses the physical and technical security of CUI outside your primary facility. This is a Physical and Environmental Protection (PE) control and assessors are looking for physical safeguards, not just technical ones:

Technical controls:

• Encrypted devices for all remote work involving CUI
• Mandatory VPN for access to CUI systems from remote locations
• MFA required for remote access (also required under IA.L2-3.5.3)

Physical controls — frequently missed:

• Policy requiring employees to work in a private space where screens cannot be viewed by unauthorized individuals
• Requirements for securing printed CUI at home (locked storage, no leaving documents unattended, etc)
• Screen lock requirements when stepping away from device
• Policy addressing family members and visitors in the work-from-home environment

Assessor Reality Check: Assessors evaluating PE.L2-3.10.6 are looking for physical safeguard documentation, not just VPN logs. A telework policy that covers only technical controls will not fully satisfy this control.

Detecting insider threats requires the capability to identify when systems are being used in ways that fall outside normal authorized patterns. Implementation:

• SIEM deployment with use-case rules tuned to detect anomalous user behaviors such as unusual access times, large data transfers, access to systems outside the normal job scope
• User and Entity Behavior Analytics (UEBA) for organizations with the resources to implement it
• Defined process for investigating SIEM alerts. Alerts that generate no documented response provide no compliance value
• Regular review of access logs for accounts with elevated privileges

These controls work as a system. Screening (PS.L2-3.9.1) establishes who should have access. Least privilege (AC.L2-3.1.5) and separation of duties (AC.L2-3.1.4) limit what they can do with it. Removable media controls (MP.L2-3.8.7, 3.8.8) limit exfiltration vectors. Monitoring (SI.L2-3.14.7) detects misuse. And offboarding (PS.L2-3.9.2) ensures access is removed when the employment relationship ends.

A gap in any link weakens the entire chain.

These controls span five different families: PS, AC, MP, PE, and SI. Each must be documented under its respective family section in your SSP. Do not group them all under Personnel Security in your SSP simply because they are covered together in this nugget.