03.09.01 — (a) Screen individuals prior to authorizing access to the system. (b) Rescreen individuals in accordance with {{ insert: param, A.03.09.01.ODP.01 }}.

What this control requires

(a) Screen individuals prior to authorizing access to the system. (b) Rescreen individuals in accordance with {{ insert: param, A.03.09.01.ODP.01 }}.

Source: NIST SP 800-171 R3 §03.09.01 (official control text).

Why this matters

Personnel screening ensures individuals with access to CUI and organizational systems have been vetted for trustworthiness before they can view, modify, or transmit sensitive data. Screening reduces the risk of insider threats, fraud, and data exfiltration by confirming individuals meet baseline conduct, integrity, and reliability standards. Without formal screening and periodic rescreening, organizations cannot verify that employees, contractors, or third parties with system access remain suitable for their roles over time. This control establishes a documented process to evaluate background, criminal history, employment verification, and other factors proportional to the sensitivity of the position and data accessed.

What evidence assessors expect

Assessors typically look for: PDF, CSV export, signed letter. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls