PS.L2-3.9.1 — Screen individuals prior to authorizing access to organizational systems containing CUI.
What this control requires
Screen individuals prior to authorizing access to organizational systems containing CUI.
Source: CMMC L2 v2.13 PS.L2-3.9.1 / NIST SP 800-171 R2 3.9.1 (official control text).
Why this matters
This control ensures only trustworthy individuals handle Controlled Unclassified Information (CUI) by verifying their background, identity, and suitability before granting system access. Screening mitigates insider threats, data exfiltration, and unauthorized disclosure by filtering out individuals with criminal histories, foreign allegiances, or integrity concerns. It establishes a baseline of trust for personnel who will touch sensitive government data, protecting both the organization and its federal clients from preventable security incidents caused by malicious or compromised insiders.
What evidence assessors expect
Assessors typically look for: PDF, screenshot, CSV export, signed letter. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on PS.L2-3.9.1.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →