>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

PS-7Third-Party Personnel Security

PBMM (P1)
Secret (P1)
Operational

>Control Description

(A) The organization establishes personnel security control requirements including security roles and responsibilities for third-party providers. (B) The organization requires third-party providers to comply with personnel security control policies and procedures established by the organization. (C) The organization documents personnel security requirements. (D) The organization requires third-party providers to notify organization-defined personnel or roles of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within organization-defined time period. (E) The organization monitors provider compliance. (AA) The organization ensures security screening of private sector organizations and individuals who have access to Protected and Classified information and assets, in accordance with the TBS Standard on Security Screening [Reference 9]. (BB) The organization explicitly defines government oversight and end-user roles and responsibilities relative to third-party provided services in accordance with the TBS Security and Contracting Management Standard [Reference 25].

>Supplemental Guidance

Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. Organizations explicitly include personnel security control requirements in acquisition-related documents. Third-party providers may have personnel working at organizational facilities with credentials, badges, or information system privileges issued by organizations.

Notifications of third-party personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include, for example, functions, roles, and nature of credentials/privileges associated with individuals transferred or terminated. Related controls: PS-2, PS-3, PS-4, PS-5, PS-6, SA-9, SA-21

Ask AI

Configure your API key to use AI features.