Personnel Security (PS): Don’t Hand the Keys to the Wrong Driver

The call came on a Thursday afternoon.

A small machining shop in the Midwest, 50 employees, solid work, long history with the DoD got an email from their prime:

“We’ve detected suspicious activity tied to credentials belonging to your former employee. We need answers.”

Six months earlier, that employee had left on good terms. HR collected their badge, wished them well, and moved on. IT closed their email account… eventually. But no one fully shut down their VPN access.

Those leftover credentials were quietly sold on the dark web and used to poke around systems that handled Controlled Unclassified Information (CUI). No Hollywood hackers. No exotic malware. Just one set of forgotten login credentials.

The result?

• An internal investigation

• A very uncomfortable call with the contracting officer

• A pause on new awards until things were cleaned up

All because offboarding wasn’t treated like a security control, it was treated like paperwork.

That’s what the Personnel Security (PS) family in CMMC 2.0 is really about: Making sure the people who get access to sensitive information are trustworthy, properly onboarded, monitored through role changes, and fully locked out when they leave.

What Meeting the Objectives Might Look Like

Here’s what auditors typically expect from the Personnel Security (PS) control family at Level 2 of CMMC 2.0 (Advanced). These translate into concrete actions:

• Screen people before they see CUI: You run appropriate background checks for roles that will handle CUI, you follow a documented hiring and screening process for both employees and long-term contractors, and you’ve clearly defined which roles require what type of screening.

• Control access when roles change: You have a documented process to review and update access anytime someone is promoted, moved to a different department, or shifted away from CUI-related work and you can show records (tickets, forms, logs) that those changes were actually made.

• Offboard people cleanly and consistently: You use a formal termination/offboarding checklist shared between HR, IT, and management so user accounts, badges, VPN tokens, shared passwords, and remote access are disabled promptly and company assets like laptops, phones, tokens, keys, and smartcards are collected.

• Tie people to roles, and roles to access: You maintain job descriptions that identify which roles need CUI access, you use role-based access in your systems (instead of giving everyone broad admin access), and you keep a clear view of who currently has access to CUI systems and data.

In short: You have to prove who you trust with CUI, what screening and onboarding you perform, when and how their access changes over time, and how you remove that access when they leave and that you enforce those people-focused controls every single time, not just on a good day.

Why It Matters: Because strong defense starts long before an attack begins

Personnel Security is not about distrusting your people. It’s about not betting your entire business on memory and goodwill.

• Contracts and revenue: A single missed offboarding step or poorly controlled access change can turn into an incident that triggers reporting requirements, uncomfortable conversations with your prime, and in serious cases, lost opportunities or pauses on current and future DoD work. Personnel Security is one of the controls that protects the revenue stream your business depends on.
• Reputation in the DIB community: Primes and partners pay attention to which subcontractors handle CUI cleanly and which ones always seem to have loose ends. When your screening, onboarding, and offboarding are well-run and well-documented, you build a quiet but powerful reputation as a low-risk, dependable partner.
• Insider risk (malicious and accidental): Not every insider incident involves a vindictive employee; sometimes it’s a well-meaning person who still has access they shouldn’t, or reused credentials that never got turned off. Strong Personnel Security practices reduce the chance that a former employee, contractor, or over-privileged user becomes the weak link in your security chain.
• Operational sanity: When onboarding, role changes, and offboarding are standardized and tied to clear access rules, your leaders and IT team spend less time scrambling to fix access problems and more time running the business. You get fewer “Who can see this?” fire drills and fewer surprises during audits, because the process is predictable and repeatable.

In short: you’re not just checking a compliance box, you’re protecting your contracts, your reputation, and your day-to-day sanity by making sure only the right people have the right access at the right time.

Where Most Companies Slip Up

Here are some common pitfalls SMBs face when it comes to Personnel Security and often stumble in their CMMC assessments. 

• Informal hiring practices: Decisions are made on gut feel or long-standing relationships, background checks are inconsistent or limited to a few positions, and there’s no clear rule for who gets screened and how.

• IT and HR don’t talk enough: HR knows about start dates, promotions, and last days before IT does, so accounts are created late, access changes lag behind org chart moves, and terminated users may keep access longer than anyone realizes.

• No standard offboarding checklist: Some managers are diligent about collecting equipment and closing accounts, while others forget shared logins, cloud apps, third-party portals, or physical access like badges and door codes.

• Shared accounts everywhere: Generic logins like “Engineer,” “ShopFloor,” or “Office” are used for convenience, making it impossible to tie actions in your systems back to a specific person and weakening both accountability and incident investigations.

• Contractors treated as “exceptions”: Long-term contractors and external IT providers bypass normal screening and access reviews, and often retain remote access or elevated privileges long after their engagement is supposed to be over.

• Nothing written down: Processes live in people’s heads instead of in documented procedures, so practices vary by manager, and during an assessment it often turns into, “We do that,” with little consistent evidence to prove it.

How to Start Strong (and Grow Stronger)

Here’s a two-tiered approach: a “Starting Point” for compliance, and then the NEX Level enhancements to build real resilience and business advantage. 

A Starting Point: The Minimum to Meet Compliance

These are practical actions you can implement relatively quickly to satisfy the assessment objectives for Personnel Security… 

1. Define which roles require screening: You create a simple list of positions that will have access to CUI, such as engineers, certain managers, and IT admins, and you decide what level of screening each of those roles needs.

2. Standardize pre-hire and onboarding: You use a consistent hiring checklist that includes the required screening steps, ensures they are completed before CUI access is granted, and captures key items like background checks and signed confidentiality agreements.

3. Create a simple offboarding checklist: You document a repeatable process that HR, IT, and managers follow to disable user accounts, revoke remote and physical access, remove people from shared tools, and collect company equipment when someone leaves.

4. Tie role changes to access reviews: You treat promotions, transfers, and role changes as triggers to review access, making sure people who no longer work with CUI or sensitive systems have their permissions reduced or removed.

5. Write it down in policies and your SSP: You capture your personnel security approach in a short, clear policy and align it with your System Security Plan (SSP) so what you do and what you say you do match up during an assessment.

By ticking off these seven steps, you can demonstrate to an assessor (or yourself) that your PS controls are actively managed and aligned with the PS family requirements under CMMC 2.0. 

The NEX Level: Turning Compliance into Competitive Advantage

Once you’ve covered the basics, here are advanced practices you can turn into competitive advantage… not just compliance. 

• Integrate HR and IT workflows: You connect HR events (new hire, role change, termination) to IT tasks using a ticketing or workflow system so that every change kicks off a trackable set of access updates with clear owners and due dates.

• Use role-based access profiles: You define standard access bundles for key roles (like Engineer, Program Manager, Machinist, and Finance) and you apply those profiles when people join or move roles so you’re not reinventing access from scratch every time.

• Run periodic access certifications: You schedule quarterly or semiannual reviews where managers confirm who on their team still needs CUI and elevated access, using the results to clean up “zombie” accounts and over-privileged users.

• Strengthen insider risk awareness: You incorporate simple, focused messaging into training and leadership practices so employees know how to spot and report concerning behavior, and you apply extra care to access management during high-risk exits or disputes.

• Apply controls to contractors and vendors: You hold long-term contractors and external IT providers to similar screening and access standards as employees, and you put clear expectations in contracts about onboarding, monitoring, and timely deprovisioning.

• Track a few meaningful metrics: You monitor basic indicators, like time from termination notice to account disablement, number of role changes that triggered access changes, and accounts disabled per quarter, and use them to show improvement and catch gaps early.

These enhancements raise your maturity level, make your identity posture resilient, and allow you to operate confidently, even when the threat landscape gets aggressive. 

The Identity vs Gate analogy 

Picture your business as a secure factory. Inside are your most valuable assets: precision machines, custom designs, and sensitive customer orders tied to defense contracts. At the front door, every employee gets a keycard. When you hire someone for the welding line, you don’t give them a master key to every room; you give them access to the welding floor and maybe the break room. When a welder moves into quality control, you update their keycard so it opens the inspection lab but no longer gets them onto the welding floor. And when someone’s last day arrives, you don’t shrug and say, “We’ll worry about their key later.” You collect their card at the exit or flip a switch so it stops working before they walk out the door.

Now translate that into your digital world. User accounts, VPN logins, shared drives, and cloud apps are all just different doors in that factory. Onboarding is when you issue the keycard. Role changes are when you reprogram it. Offboarding is when you disable it completely. If any one of those steps is missed, someone can still walk in long after they should be gone, maybe by accident, maybe with bad intentions, and maybe with attackers quietly riding along on their credentials.

Takeaway: If you wouldn’t let ex-employees keep a physical key to your building, you can’t afford to let them keep a digital key to your systems as well.

Helpful Resources

Here are some resources to help you dig deeper and operationalize the IA control family…

Framework & Standards

• DoD CMMC Resources – Official documentation from the DoD covering CMMC Model v2.0.
• NIST SP 800-171 Rev. 2 – Full text from NIST, the source standard that CMMC maps to.

Free Resources

• CISA Insider Threat Mitigation Guide – A scalable playbook to stand up or tune insider threat and personnel-related safeguards, suitable for small organizations.
• ADP: Offboarding Process – This article explains what employee offboarding is, why a thoughtful offboarding strategy matters for retention and employer brand, and outlines best practices and exit‐interview tips to smoothly and respectfully manage employees’ departures.
• Smartsheet: Employee Onboarding Checklist Templates – Downloadable Word/Excel/PDF onboarding checklists you can customize for “CUI / IT access” steps.
• Valamis: Employee Onboarding Checklist – Structured checklist with pre-boarding, first day, first week, etc.—great skeleton to bolt PS steps onto.

Paid Resources

• Checkr: Background Screening Platform – If you use Gusto, their Checkr integration makes PS screening part of the normal hiring workflow.
• BambooHR: HR Software – Use automated workflows and tickets to enforce that screening, onboarding, role change, and offboarding checklists are always followed and logged.

CyberNEX Resources

• CMMC Decoded: Personnel Security Reference Sheet – A concise one-page guide for defense contractors that outlines the PS control family, explains why it matters, highlights examples of evidence auditors might expect, provides quick-win actions to get started, and includes links to available resources.
• CyberNEX Blog Archive – Explore all 14 CMMC control families with in-depth explainers, practical recommendations, and actionable insights tailored to defense contractors.

Take the NEXt Step

Compliance is never the finish line, it’s the foundation. The real advantage comes when your business uses CMMC practices to strengthen operations, protect revenue, and earn the trust of your partners and the DoD. Whether you’re trying to pass an assessment or build a truly resilient cybersecurity program, CyberNEX helps you move from “checking the box” to owning your security posture.

Our team has guided dozens of SMBs through CMMC readiness, helping them translate complex requirements into simple, actionable steps. We know where most businesses struggle, and we know how to make progress visible – fast.

👉 Get clarity on your PS gaps and a clear plan forward. Book a Discovery Session with our experts today.

Book My Discovery Session

Not ready to chat yet?
→ Learn more about our CMMC Readiness Assessments
→ Subscribe to NEX Level Newsletter

FAQs

1. What does CMMC Personnel Security actually require?
CMMC Personnel Security at Level 2 is really about proving that you are intentional with who gets access to CUI and how that access is managed over time. It expects you to screen individuals before granting them access to systems and data that handle CUI, manage access when people change roles so they only keep the permissions they truly need, and cleanly remove access when they leave the organization. In practice, that means you have documented processes for screening, onboarding, role changes, and offboarding, and you can show real evidence (e.g., records, checklists, and tickets) that those processes are consistently followed.

2. Do I have to run full background checks on every employee?
No, you don’t have to treat every role the same. CMMC expects you to define what “appropriate screening” looks like based on the risk of the role. For some positions, it might be basic employment verification; for others, like engineers working with CUI or system administrators, it might mean a more thorough background check. The key is that you decide in advance which roles get which level of screening, you put that in writing, you apply it consistently, and you complete the screening before giving people access to CUI or sensitive systems.

3. We already have HR processes. Why do we need to change them for CMMC?
Most existing HR processes are designed for payroll, benefits, and general employee lifecycle, not for protecting defense-related information. CMMC adds a layer of expectation that HR, IT, and leadership are tightly coordinated around access. When someone is hired, promoted, moved, or terminated, those HR events need to reliably trigger changes to their system access, and you need to be able to show that this happens in a timely and consistent way. You don’t have to throw away what you have today, but you do need to connect the dots between people processes and access control so that your current HR workflow also supports your security and CMMC obligations.

4. How quickly do we need to remove access when someone leaves?
CMMC doesn’t specify a hard number of minutes or hours, but assessors and customers expect you to act promptly and predictably, especially for people with access to CUI or administrative privileges. That usually means you have a standard process where HR notifies IT before or at the time of departure, IT disables accounts and access the same day, and you can show a record of when that happened. The real goal is to avoid situations where former employees or contractors can still log in days or weeks later. If you can demonstrate that your process consistently closes that window quickly, you’re in good shape.

5. We’re a small company and know everyone personally. Does Personnel Security still apply to us?
Yes, maybe even more so. In a small business, people wear multiple hats, share responsibilities, and often have broad access by necessity. That makes it easy to rely on trust and informal habits instead of documented, repeatable processes. CMMC doesn’t question whether you trust your team; it asks whether you can prove you control who gets access, how that access changes, and when it’s removed. For smaller organizations, that often looks like a few simple but written procedures, a basic screening standard for sensitive roles, and checklists for onboarding and offboarding. You can still run your business in a relationship-driven way, but you also need enough structure to satisfy auditors and protect your contracts.