This post explains how to build practical, defensible background check policies and operating procedures that meet the Compliance Framework requirement PS.L2-3.9.1 (screen individuals prior to authorizing access to systems containing Controlled Unclassified Information - CUI) from NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2.
\n\nStart by mapping PS.L2-3.9.1 to your environment: identify all systems, networks, files, and physical locations that store, process, or transmit CUI. For a small business this might be a single file server, an internal SharePoint site, an encrypted laptop used by program staff, and any third-party cloud services that store contract-related data. The policy must explicitly state that individuals (employees, contractors, interns, and vendors with privileged or direct CUI access) will be screened prior to receiving access. Define roles and access levels (e.g., basic user, privileged administrator, program manager) and tie the level of screening to the sensitivity of access requested.
\n\nYour written policy should cover scope, types of checks, timing, adjudication, data handling, legal compliance, roles/responsibilities, and record retention. Types of checks you may use include identity verification, criminal history (national/state), employment and education verification, credit checks for financial roles, and fingerprint-based FBI checks where required. Specify whether checks are pre-employment only or include periodic rechecks (e.g., every 3 years, or continuous monitoring for high-risk roles), and include criteria for conditional access (temporary access while a check completes) with compensating controls such as supervised access or reduced privileges.
\n\nOperationalize the policy with concrete procedures: (1) collect signed consent forms that comply with the Fair Credit Reporting Act (FCRA) and state laws; (2) call out approved background check vendors (e.g., Sterling, HireRight) and integrations (HRIS or applicant tracking systems) to automate order and result ingestion; (3) require secure storage of reports in an encrypted HR repository (AES-256 at rest, TLS 1.2+ in transit) with strict role-based access controls and audit logging; (4) use unique identifiers (candidate ID) rather than social security numbers when possible, and redact sensitive parts of reports for operational use. Include a workflow diagram or checklist for HR, security, and hiring managers that specifies triggers, responsible parties, and SLA for completing checks (e.g., within 5 business days).
\n\nDocument an adjudication process with objective criteria: define disqualifying offenses (e.g., recent fraud, violent felonies) and mitigating considerations (time elapsed, relevance to job duties, rehabilitation). Ensure the adverse action process follows FCRA: provide pre-adverse notices with a copy of the consumer report and a summary of rights, allow the individual to respond, and only after review issue a final adverse action notice. Train HR and security staff on state-specific restrictions (ban-the-box laws, limits on credit checks) and ensure contracts with background vendors include breach notification timelines and data protection clauses.
\n\nExample 1: A 12-person defense subcontractor assigns a background tier for each role. Program engineers with code repository and CUI access require identity verification, a 7-year criminal history search, and employment verification before issuing credentials; non-CUI administrative staff receive identity verification only. Example 2: A managed service provider (MSP) hosting CUI requires all third-party contractor engineers to undergo the company's background process plus continuous monitoring (monthly alerts for new criminal records). In both cases, the business integrates checks into onboarding in the HRIS and enforces \"no access until cleared\" for privileged accounts using its identity provider (IdP) to block account activation until HR flags clearance complete.
\n\nFailing to screen individuals before granting CUI access increases insider threat, data exfiltration, and fraud risk and can directly result in non-compliance findings during assessments or audits. For a small business, a single malicious or negligent insider can lead to contract termination, penalties, loss of future contracts, reputational damage, and potential compromise of sensitive defense information. Additionally, ad-hoc or undocumented checks expose you to legal risk under FCRA and inconsistent decision-making that can lead to discrimination claims.
\n\nKeep checks proportionate to risk: avoid overbroad requirements that unnecessarily delay hiring. Automate where possible to reduce human error—use ATS/HRIS integrations to track consent, orders, results, and adjudication. Maintain an audit trail of decisions and access grants tied to clearance status. Include background check clauses in subcontractor agreements and require proof of equivalent screening. Encrypt and minimize report retention—retained reports should be limited to what you need for compliance (commonly 1–7 years depending on your internal policy and legal advice) and securely deleted when no longer required.
\n\nImplementing PS.L2-3.9.1 successfully requires combining clear policy language, repeatable procedures, technical controls (IdP gating, encrypted HR storage, logging), legal compliance (FCRA/state laws), and documented adjudication criteria; these elements together reduce risk and demonstrate to assessors that your small business protects CUI responsibly.
", "plain_text": "This post explains how to build practical, defensible background check policies and operating procedures that meet the Compliance Framework requirement PS.L2-3.9.1 (screen individuals prior to authorizing access to systems containing Controlled Unclassified Information - CUI) from NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2.\n\nUnderstand the requirement and define scope\nStart by mapping PS.L2-3.9.1 to your environment: identify all systems, networks, files, and physical locations that store, process, or transmit CUI. For a small business this might be a single file server, an internal SharePoint site, an encrypted laptop used by program staff, and any third-party cloud services that store contract-related data. The policy must explicitly state that individuals (employees, contractors, interns, and vendors with privileged or direct CUI access) will be screened prior to receiving access. Define roles and access levels (e.g., basic user, privileged administrator, program manager) and tie the level of screening to the sensitivity of access requested.\n\nKey policy elements to include\nYour written policy should cover scope, types of checks, timing, adjudication, data handling, legal compliance, roles/responsibilities, and record retention. Types of checks you may use include identity verification, criminal history (national/state), employment and education verification, credit checks for financial roles, and fingerprint-based FBI checks where required. Specify whether checks are pre-employment only or include periodic rechecks (e.g., every 3 years, or continuous monitoring for high-risk roles), and include criteria for conditional access (temporary access while a check completes) with compensating controls such as supervised access or reduced privileges.\n\nTechnical and procedural implementation details\nOperationalize the policy with concrete procedures: (1) collect signed consent forms that comply with the Fair Credit Reporting Act (FCRA) and state laws; (2) call out approved background check vendors (e.g., Sterling, HireRight) and integrations (HRIS or applicant tracking systems) to automate order and result ingestion; (3) require secure storage of reports in an encrypted HR repository (AES-256 at rest, TLS 1.2+ in transit) with strict role-based access controls and audit logging; (4) use unique identifiers (candidate ID) rather than social security numbers when possible, and redact sensitive parts of reports for operational use. Include a workflow diagram or checklist for HR, security, and hiring managers that specifies triggers, responsible parties, and SLA for completing checks (e.g., within 5 business days).\n\nAdjudication, adverse actions, and legal compliance\nDocument an adjudication process with objective criteria: define disqualifying offenses (e.g., recent fraud, violent felonies) and mitigating considerations (time elapsed, relevance to job duties, rehabilitation). Ensure the adverse action process follows FCRA: provide pre-adverse notices with a copy of the consumer report and a summary of rights, allow the individual to respond, and only after review issue a final adverse action notice. Train HR and security staff on state-specific restrictions (ban-the-box laws, limits on credit checks) and ensure contracts with background vendors include breach notification timelines and data protection clauses.\n\nSmall business scenarios and real-world examples\nExample 1: A 12-person defense subcontractor assigns a background tier for each role. Program engineers with code repository and CUI access require identity verification, a 7-year criminal history search, and employment verification before issuing credentials; non-CUI administrative staff receive identity verification only. Example 2: A managed service provider (MSP) hosting CUI requires all third-party contractor engineers to undergo the company's background process plus continuous monitoring (monthly alerts for new criminal records). In both cases, the business integrates checks into onboarding in the HRIS and enforces \"no access until cleared\" for privileged accounts using its identity provider (IdP) to block account activation until HR flags clearance complete.\n\nRisk of not implementing background checks\nFailing to screen individuals before granting CUI access increases insider threat, data exfiltration, and fraud risk and can directly result in non-compliance findings during assessments or audits. For a small business, a single malicious or negligent insider can lead to contract termination, penalties, loss of future contracts, reputational damage, and potential compromise of sensitive defense information. Additionally, ad-hoc or undocumented checks expose you to legal risk under FCRA and inconsistent decision-making that can lead to discrimination claims.\n\nCompliance tips and best practices\nKeep checks proportionate to risk: avoid overbroad requirements that unnecessarily delay hiring. Automate where possible to reduce human error—use ATS/HRIS integrations to track consent, orders, results, and adjudication. Maintain an audit trail of decisions and access grants tied to clearance status. Include background check clauses in subcontractor agreements and require proof of equivalent screening. Encrypt and minimize report retention—retained reports should be limited to what you need for compliance (commonly 1–7 years depending on your internal policy and legal advice) and securely deleted when no longer required.\n\nImplementing PS.L2-3.9.1 successfully requires combining clear policy language, repeatable procedures, technical controls (IdP gating, encrypted HR storage, logging), legal compliance (FCRA/state laws), and documented adjudication criteria; these elements together reduce risk and demonstrate to assessors that your small business protects CUI responsibly." }, "metadata": { "description": "Step-by-step guidance for small businesses to design background check policies and procedures that satisfy NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 PS.L2-3.9.1 while protecting CUI and complying with applicable laws.", "permalink": "/how-to-create-background-check-policies-and-procedures-to-comply-with-nist-sp-800-171-rev2-cmmc-20-level-2-control-psl2-391.json", "categories": [], "tags": [] } }