Screen Individuals
Screen individuals prior to authorizing access to organizational systems containing CUI.
What an assessor scores, the objectives
PS.L2-3.9.1 is met only when every one of these 1 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.
- a.individuals are screened prior to authorizing access to organizational systems containing CUI
How a C3PAO checks it
NIST SP 800-171A defines three assessment methods. For PS.L2-3.9.1, an assessor uses these:
Personnel security policy; procedures addressing personnel screening; records of screened personnel; system security plan; other relevant documents or records
Personnel with personnel security responsibilities; personnel with information security responsibilities
Organizational processes for personnel screening
What it means, in context
Personnel security screening (vetting) activities involve the evaluation/assessment of individual’s conduct, integrity, judgment, loyalty, reliability, and stability (i.e., the trustworthiness of the individual) prior to authorizing access to organizational systems containing CUI. The screening activities reflect applicable federal laws, Executive Orders, directives, policies, regulations, and specific criteria established for the level of access required for assigned positions.
Ensure all employees who need access to CUI undergo organization-defined screening before being granted access. Base the types of screening on the requirements for a given position and role. The effective screening of personnel provided by this requirement, PS.L2-3.9.1, improves upon the effectiveness of authentication performed in IA.L2-3.5.2. Example You are in charge of security at your organization. You complete standard criminal background and credit checks of all individuals you hire before they can access CUI [a]. Your screening program follows appropriate laws, policies, regulations, and criteria for the level of access required for each position. Potential Assessment Considerations • Are appropriate background checks completed prior granting access to organizational systems containing CUI [a]?
What passing evidence looks like
The screening step in hiring for anyone who will touch CUI: what check you run (background check, reference verification) and a record that it ran for current CUI handlers.
Common ways contractors fail PS.L2-3.9.1
- !Screening is scoped to CUI access, not every hire. Define the check proportionate to your shop (a commercial background check is typical) and be ready to show it ran for the people in the CUI roster.
The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.
Prove PS.L2-3.9.1, and the other 109
The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.
No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.
PS.L2-3.9.1 questions, answered
How many points is CMMC requirement PS.L2-3.9.1 worth?+
PS.L2-3.9.1 is worth 3 points in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 3 from your total of 110.
Can PS.L2-3.9.1 be placed on a POA&M?+
No. PS.L2-3.9.1 must be fully met before you can file. It cannot be deferred to a POA&M, so it is a gate on your assessment.
What family does PS.L2-3.9.1 belong to?+
PS.L2-3.9.1 is in the Personnel Security (PS) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.
- NIST SP 800-171 Rev. 2 3.9.1