zydronium/manage.get.gov
1
0
Fork 0
mirror of https://github.com/cisagov/manage.get.gov.git synced 2025-08-02 16:02:15 +02:00
Code Issues Projects Releases Packages Wiki Activity
manage.get.gov/docs/compliance/dist/system-security-plans/ato/ps-7.md
Logan McDonald 1d3dfdb8d5
Add compliance documentation to source control (#116) 
* add initial setup of compliance-trestle
2022-09-14 08:46:43 -04:00

3.4 KiB
Raw Blame History

implementation-status control-origination
c-not-implemented
c-inherited-cloud-gov
c-inherited-cisa
c-common-control
c-system-specific-control

ps-7 - [catalog] External Personnel Security

Control Statement

  • [a] Establish personnel security requirements, including security roles and responsibilities for external providers;

  • [b] Require external providers to comply with personnel security policies and procedures established by the organization;

  • [c] Document personnel security requirements;

  • [d] Require external providers to notify personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within time period ; and

  • [e] Monitor provider compliance with personnel security requirements.

Control guidance

External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure the appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and the nature of credentials or privileges associated with transferred or terminated individuals.

Control assessment-objective

personnel security requirements are established, including security roles and responsibilities for external providers; external providers are required to comply with personnel security policies and procedures established by the organization; personnel security requirements are documented; external providers are required to notify personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges within time period; provider compliance with personnel security requirements is monitored.

What is the solution and how is it implemented?

Implementation a.

Add control implementation description here for item ps-7_smt.a

Implementation b.

Add control implementation description here for item ps-7_smt.b

Implementation c.

Add control implementation description here for item ps-7_smt.c

Implementation d.

Add control implementation description here for item ps-7_smt.d

Implementation e.

Add control implementation description here for item ps-7_smt.e