PS-3(2)—Formal Indoctrination
>Control Description
Verify that individuals accessing a system processing, storing, or transmitting types of classified information that require formal indoctrination, are formally indoctrinated for all the relevant types of information to which they have access on the system.
>Cross-Framework Mappings
>Supplemental Guidance
Types of classified information that require formal indoctrination include Special Access Program (SAP), Restricted Data (RD), and Sensitive Compartmented Information (SCI).
>Related Controls
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern formal indoctrination for organizational personnel?
- •Who is responsible for implementing and overseeing formal indoctrination controls?
- •How does the organization coordinate formal indoctrination with HR and legal teams?
- •What is the process for handling exceptions to formal indoctrination requirements?
- •What governance exists for ensuring consistent application of formal indoctrination across the organization?
Technical Implementation:
- •What systems or tools technically implement formal indoctrination?
- •How are formal indoctrination activities integrated with HR and identity management systems?
- •What automation supports formal indoctrination enforcement and tracking?
- •What audit capabilities exist for formal indoctrination?
- •How are formal indoctrination requirements technically enforced in access control systems?
Evidence & Documentation:
- •Provide documented policies and procedures for formal indoctrination.
- •Provide personnel records demonstrating formal indoctrination implementation.
- •Provide evidence of formal indoctrination for all personnel with system access.
- •Provide records of formal indoctrination reviews and updates.
- •Provide documentation of coordination between formal indoctrination and HR processes.
Ask AI
Configure your API key to use AI features.