Personnel Security Plan

Approach basics → §4.x

Roles and providers that anchor the rest of the plan.

HR partner role (one-liner) * Role that owns the personnel-security workflow on the HR side (e.g., 'Personnel Security Branch within HR', 'Agency PSO under the CSO').

Background-investigation provider * Provider conducting background investigations (e.g., 'OPM / NBIB / DCSA for federal positions', 'HireRight + private references for contractor-only positions').

Position-risk designation authority * Role / methodology used to designate position risk (e.g., 'OPM Position Designation Tool with HR-CSO joint review', 'Internal position-sensitivity matrix based on data access level').

Sanctions-administration authority * Role responsible for applying sanctions for security violations (e.g., 'HR with CSO concurrence', 'CO / contracting officer for contractor staff').

Access-agreement storage location Where signed access agreements (NDAs, Rules of Behavior, AUPs) are stored. HRMS, contract file, secure document repository.

Position Risk Designation (PS-2) → §4.x

How positions are categorized for screening level.

Designation methodology — Select — OPM Position Designation Tool (federal default) Agency-specific matrix derived from OPM tool 5 CFR Part 1400 + 5 CFR Part 731 split Internal three-tier (Low / Moderate / High) based on system access External commercial framework

Risk levels in use

Low Risk (Tier 1 / NACI legacy) Moderate Risk Public Trust (Tier 2 / Tier 4) High Risk Public Trust (Tier 4) National Security Non-Critical Sensitive (Tier 3) National Security Critical Sensitive (Tier 5) National Security Special Sensitive (Tier 5 + SCI eligibility)

Designation-review cadence (PS-2 ODV) How often position-risk designations are reviewed (typical: 'Annual + on position-description change'). PS-2 ODV.

Designation-review role Role accountable for periodic review of position-risk designations.

Mapping from risk level to screening type Crosswalk from each risk level to the corresponding background-investigation type (e.g., 'Low Risk → Tier 1; Moderate Risk Public Trust → Tier 2; High Risk Public Trust → Tier 4').

Personnel Screening (PS-3) → §4.x

Pre-access investigation and reauthorization.

Pre-access screening required for

Government employees Contractor staff with system access Contractor staff without system access (escorted only) Vendor maintenance staff (PS-7 / MA-5) Volunteer / unpaid associates Foreign nationals (with special handling per EO 12968)

Investigation types in use

Tier 1 / NACI (Low Risk) Tier 2 (Moderate Risk Public Trust) Tier 3 (National Security Non-Critical Sensitive) Tier 4 (High Risk Public Trust) Tier 5 (National Security Critical Sensitive / SCI) FBI Name Check (interim) Fingerprint check (interim while Tier-N processes) State / local criminal history check (commercial)

Reauthorization cadence When screenings must be redone (e.g., 'Tier 5: every 5 years; Tier 4: every 5 years; Tier 2: every 10 years; or upon Continuous Vetting flag event'). Reference Federal Investigative Standards.

Continuous Vetting (CV) participation — Select — Yes — federal CV via DCSA Trusted Workforce 2.0 Yes — internal CV beyond federal program Partial (only critical-sensitive positions) No (legacy periodic-reinvestigation only)

Interim-access criteria When and how interim access is granted while full investigation is in progress. Common criteria: favorable fingerprint result + signed SF-86 + supervisor approval.

Personnel Termination (PS-4) → §4.x

Off-boarding workflow that cuts access and recovers assets.

Access-revocation SLA Time from termination effective date until logical and physical access is revoked. PS-4 ODV. Common: 'Same business day for involuntary; end-of-business-day for voluntary'.

Termination workflow steps

HR-initiated termination notification Disable AD / IdP account (AC-2) Revoke physical badges (PE-2) Recover GFE laptop / mobile / hardware tokens Conduct exit interview Reaffirm NDA / non-disclosure obligations Forward email / out-of-office Document hand-off to successor / supervisor Transfer file ownership Return classified materials (if applicable) Update PS-3 screening record

Involuntary-termination handling Special handling for terminations for cause (immediate access cut prior to notification, escort during exit, asset-recovery procedure).

Termination-evidence retention How long termination-checklist evidence is retained (typically per NARA records-retention schedule for personnel records).

Personnel Transfer (PS-5) → §4.x

Reassignment workflow that updates access entitlements.

Transfer trigger events

Promotion / role change within team Move to different organizational unit Move to different system / project Detail to another agency Demotion or reassignment for cause Role expansion (added duties) Role reduction (removed duties)

Access-review SLA on transfer Time from transfer effective date until access entitlements are reviewed and adjusted. Common: 'Within 7 days of effective date'.

Temporary dual-access policy Whether and how a transferring employee retains access to the old role during transition. Time limit, justification, removal trigger.

Screening review on transfer Whether the new role requires a higher-tier screening; trigger for upgrade investigation.

Access Agreements (PS-6) → §4.x

Documents personnel sign before access is granted.

Required agreements

Non-Disclosure Agreement (NDA / SF-312 for classified) Acceptable Use Policy / Rules of Behavior Conflict-of-interest disclosure Telework agreement (if PE-17 applicable) Security awareness acknowledgment (cross-reference AT-2) Privacy Act agreement (if PII handled) HIPAA Business Associate Agreement (if PHI handled) Foreign-disclosure briefing (if applicable)

Agreement-renewal cadence (PS-6 ODV) How often agreements are reviewed / re-signed. PS-6 ODV. Common: 'Annual', 'On significant change to terms'.

Storage practice Where signed agreements are stored, retention period, who has read access. Reference NARA records schedule.

Completion-tracking mechanism How current-agreement status is tracked (HRMS field, separate compliance dashboard, expiration alerts).

External Personnel (PS-7) → §4.x

Contractor staff, vendor staff, partner-organization staff.

External-personnel categories

Direct contractor staff (deployed to system) Subcontractor staff (visibility through prime) Vendor maintenance / support staff (MA-5) Cloud-provider staff (SA-9 / FedRAMP-cleared) Partner-agency staff Foreign-national contractors Volunteer / unpaid associates

Screening requirement for external What background screening external personnel must complete (typically same standard as employees in equivalent risk positions). Reference contract clauses (DFARS 252.204-7012 for DoD).

Contract clauses required

Personnel-screening clause (FAR 52.204-9) Notification of personnel changes within N business days Sanctions for noncompliance (PS-8 reference) Continuous-vetting cooperation Foreign-national disclosure clause DFARS 252.204-7012 (DoD CDI) Section 889 attestation

Personnel-change notification SLA Time within which external organization must notify the agency of personnel changes (terminations, transfers, new staff requiring access).

Periodic external attestation cadence How often external organizations attest to current screening / agreement status (e.g., 'Quarterly').

Personnel Sanctions (PS-8) → §4.x

Disciplinary process for security-policy violations.

Violation categories addressed

Unauthorized disclosure of CUI / classified Misuse of system access Failure to complete required training Failure to renew access agreement Sharing credentials Intentional bypass of security controls Mishandling of media / hardcopy Failure to report security incident Insider-threat indicators

Sanction levels

Verbal warning + retraining Written reprimand Performance-improvement plan Suspension of access Suspension of employment Termination of employment / contract Referral for criminal investigation

Sanction-decision authority Who decides what sanction applies. Mix of HR, security, supervisor, contracting officer for contractors.

Notification process How affected parties are notified, due-process steps, appeal mechanism. Reference org HR policy.

Reporting to leadership Cadence at which sanctions are summarized to senior leadership (anonymous trends or named per HR policy).

Position Descriptions (PS-9) → §4.x

Security responsibilities written into position descriptions.

Security responsibilities in PDs

General security awareness expectations Role-specific security duties (per AT-3 role-based training) Position risk designation cite Required clearance / screening level Security training requirements Reporting responsibilities for security incidents Compliance with applicable laws / regulations

PD-review cadence How often position descriptions are reviewed for currency (typical: 'Annually'). PS-9 ODV.

PD-template location Where the standard PD template (with security clauses) lives.

Personnel Scope and Coverage → §2.x

Quantitative scope numbers that anchor metrics later in the plan.

Total personnel in scope Approximate count of all personnel (employees + contractors) in scope.

Contractor percentage (approximate) Approximate % of total personnel that are contractor / vendor staff.

High-risk position count Count of positions designated High Risk Public Trust or higher.

External organizations in scope (PS-7) Count of external organizations (contractors, partners, vendors with system access).

Personnel-Security Metrics & KPIs → §6.x

Metrics tracked to demonstrate PS control effectiveness.

Tracked metrics

Add item

Suggested: + % Personnel with current PS-3 screening + % Personnel with current PS-6 access agreement + Termination-revocation SLA compliance rate (PS-4) + Mean time from termination effective to access cut (hours) + Transfer-rescreening completion rate (PS-5) + External-personnel attestation completion rate (PS-7) + Sanctions issued per quarter (by category, anonymized) + Continuous-vetting flag events processed within SLA + Position-description currency rate (% reviewed in last cycle) + Personnel-system-to-access-list reconciliation gap count + Open POA&M items linked to PS controls

Personnel-to-Access Reconciliation → §6.x

Continuous verification that personnel records match access entitlements.

Reconciliation cadence How often the personnel system (HRMS) is reconciled against logical (AC-2) and physical (PE-2) access lists. Common: 'Weekly automated; monthly manual review'.

Gap-handling SLA Time from identification of a reconciliation gap to closure (e.g., 'Same business day for terminated personnel still holding access'). Common audit finding when not actively monitored.

Cross-references to other RMF artifacts → §7

Where this plan plugs into the broader RMF package.

SSP section reference Where in the SSP the PS control implementations are summarized (e.g., 'SSP §13.10').

POA&M ID prefix for PS findings Convention for PS-related POA&M items (e.g., 'POAM-PS-' for general).

PE handoff How PS-3 screening status feeds PE-2 physical-access authorization. Trigger that updates PE-2 list when screening lapses or terminates.

AC handoff How PS-3 / PS-4 / PS-5 outcomes drive AC-2 logical-account lifecycle. Termination automation, transfer review trigger.

AT handoff How PS-6 access agreements pair with AT-2 awareness training. Co-administered or separate?

SA handoff How PS-7 external-personnel governance ties to SA-9 external-system-services management. Personnel-change notification flowing through both pathways.

IR handoff How security incidents involving personnel feed PS-8 sanctions workflow. Insider-threat reporting.

CA-7 continuous-monitoring strategy reference Pointer to the CA-7 monitoring strategy document tying PS continuous-monitoring metrics to the broader ConMon plan.