This post explains how to build practical, defensible background check policies and operating procedures that meet the Compliance Framework requirement PS.L2-3.9.1 (screen individuals prior to authorizing access to systems containing Controlled Unclassified Information - CUI) from NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2.
Understand the requirement and define scope
Start by mapping PS.L2-3.9.1 to your environment: identify all systems, networks, files, and physical locations that store, process, or transmit CUI. For a small business this might be a single file server, an internal SharePoint site, an encrypted laptop used by program staff, and any third-party cloud services that store contract-related data. The policy must explicitly state that individuals (employees, contractors, interns, and vendors with privileged or direct CUI access) will be screened prior to receiving access. Define roles and access levels (e.g., basic user, privileged administrator, program manager) and tie the level of screening to the sensitivity of access requested.
Key policy elements to include
Your written policy should cover scope, types of checks, timing, adjudication, data handling, legal compliance, roles/responsibilities, and record retention. Types of checks you may use include identity verification, criminal history (national/state), employment and education verification, credit checks for financial roles, and fingerprint-based FBI checks where required. Specify whether checks are pre-employment only or include periodic rechecks (e.g., every 3 years, or continuous monitoring for high-risk roles), and include criteria for conditional access (temporary access while a check completes) with compensating controls such as supervised access or reduced privileges.
Technical and procedural implementation details
Operationalize the policy with concrete procedures: (1) collect signed consent forms that comply with the Fair Credit Reporting Act (FCRA) and state laws; (2) call out approved background check vendors (e.g., Sterling, HireRight) and integrations (HRIS or applicant tracking systems) to automate order and result ingestion; (3) require secure storage of reports in an encrypted HR repository (AES-256 at rest, TLS 1.2+ in transit) with strict role-based access controls and audit logging; (4) use unique identifiers (candidate ID) rather than social security numbers when possible, and redact sensitive parts of reports for operational use. Include a workflow diagram or checklist for HR, security, and hiring managers that specifies triggers, responsible parties, and SLA for completing checks (e.g., within 5 business days).
Adjudication, adverse actions, and legal compliance
Document an adjudication process with objective criteria: define disqualifying offenses (e.g., recent fraud, violent felonies) and mitigating considerations (time elapsed, relevance to job duties, rehabilitation). Ensure the adverse action process follows FCRA: provide pre-adverse notices with a copy of the consumer report and a summary of rights, allow the individual to respond, and only after review issue a final adverse action notice. Train HR and security staff on state-specific restrictions (ban-the-box laws, limits on credit checks) and ensure contracts with background vendors include breach notification timelines and data protection clauses.
Small business scenarios and real-world examples
Example 1: A 12-person defense subcontractor assigns a background tier for each role. Program engineers with code repository and CUI access require identity verification, a 7-year criminal history search, and employment verification before issuing credentials; non-CUI administrative staff receive identity verification only. Example 2: A managed service provider (MSP) hosting CUI requires all third-party contractor engineers to undergo the company's background process plus continuous monitoring (monthly alerts for new criminal records). In both cases, the business integrates checks into onboarding in the HRIS and enforces "no access until cleared" for privileged accounts using its identity provider (IdP) to block account activation until HR flags clearance complete.
Risk of not implementing background checks
Failing to screen individuals before granting CUI access increases insider threat, data exfiltration, and fraud risk and can directly result in non-compliance findings during assessments or audits. For a small business, a single malicious or negligent insider can lead to contract termination, penalties, loss of future contracts, reputational damage, and potential compromise of sensitive defense information. Additionally, ad-hoc or undocumented checks expose you to legal risk under FCRA and inconsistent decision-making that can lead to discrimination claims.
Compliance tips and best practices
Keep checks proportionate to risk: avoid overbroad requirements that unnecessarily delay hiring. Automate where possible to reduce human error—use ATS/HRIS integrations to track consent, orders, results, and adjudication. Maintain an audit trail of decisions and access grants tied to clearance status. Include background check clauses in subcontractor agreements and require proof of equivalent screening. Encrypt and minimize report retention—retained reports should be limited to what you need for compliance (commonly 1–7 years depending on your internal policy and legal advice) and securely deleted when no longer required.
Implementing PS.L2-3.9.1 successfully requires combining clear policy language, repeatable procedures, technical controls (IdP gating, encrypted HR storage, logging), legal compliance (FCRA/state laws), and documented adjudication criteria; these elements together reduce risk and demonstrate to assessors that your small business protects CUI responsibly.
