NIST 800-171 Personnel Security Controls in GCC High: Configuration Guide
Emily Bonnie
Senior Content Marketing Manager
Anna Fitzgerald
Senior Content Marketing Manager
Personnel Security is one of the smallest families in NIST 800-171 . It contains only two controls, but both govern moments that create real risk in an organization: deciding who is allowed to access systems containing Controlled Unclassified Information and ensuring that access disappears immediately when personnel leave or change roles.
The first control focuses on screening individuals before they receive access to CUI systems. The second focuses on what happens during personnel changes such as terminations or transfers.
In a Microsoft GCC High environment, the first control is handled entirely through human resources and operational processes. The second control intersects directly with identity management because access to the environment is granted through Entra ID accounts and security groups.
This article is Part 9 of the NIST 800-171 GCC High Configuration Guide. It assumes you already have a functioning Microsoft GCC High tenant, understand the shared responsibility model, and are implementing against NIST SP 800-171 Rev. 2.
Recommended reading
NIST 800-171 GCC High Configuration Guide
Personnel Security family overview
Personnel Security controls govern who is allowed to access systems that process CUI and what happens when their relationship with the organization changes. While many NIST 800-171 controls rely on technical configuration, this family is primarily implemented through hiring practices, access provisioning procedures, and identity lifecycle management.
Microsoft 365 GCC High does not provide background screening capabilities. Organizations must implement screening processes independently and ensure that accounts are created only after screening is complete.
However, GCC High becomes directly relevant for the second control. When employees leave or change roles, administrators must be able to immediately disable accounts, revoke sessions, and remove access to CUI resources.
| Control | Title | What it requires | Responsibility |
|---|---|---|---|
| 3.9.1 | Personnel Screening | Screen individuals before granting access to systems containing CUI. | Customer responsibility. |
| 3.9.2 | Personnel Actions | Protect systems during and after personnel actions such as termination or transfer. | Shared (HR process and identity management). |
PS controls and CMMC scope
Personnel Security controls apply to anyone who can access systems containing CUI. That includes employees, contractors, temporary staff, and administrators.
Organizations sometimes scope this family too narrowly by focusing only on direct employees. In practice, anyone with an account in the GCC High tenant that provides access to CUI systems must fall within the screening and personnel action procedures.
| User type | Personnel security expectation | Typical gap |
|---|---|---|
| Full-time employees | Background screening completed before account creation. | Access granted before screening completion. |
| Contractors | Screening requirements equivalent to employees. | Contractors exempted from screening policy. |
| Administrators | Enhanced screening or trust verification. | Privileged users treated the same as standard users. |
| Departing personnel | Accounts disabled immediately upon termination. | Accounts remain active after departure. |
PS Controls and GCC High Implementation
The Personnel Security family focuses on two operational moments: before access is granted and after personnel actions occur.
3.9.1 Personnel Screening
CMMC Practice: PS.L2-3.9.1
This control requires organizations to screen individuals before granting them access to systems that contain CUI.
The screening process is typically implemented through human resources procedures. Organizations define screening criteria such as background checks, identity verification, or citizenship verification depending on contract requirements.
The important operational detail is that screening must occur before access is granted.
In practice, this means user provisioning workflows should require HR approval confirming screening completion before an Entra ID account is created. Administrators should not create accounts or grant group membership until screening documentation exists.
Assessors reviewing this control usually request documentation describing the screening policy and records showing that individuals who currently have access to CUI systems were screened prior to account creation.
Organizations often ask whether government security clearances are required. For environments processing CUI, formal security clearances are not typically required unless specified by the contract. Standard background screening is usually sufficient.
3.9.2 Personnel Actions
CMMC Practice: PS.L2-3.9.2
The second Personnel Security control governs what happens when employees leave the organization or change roles.
The core objective is simple: systems containing CUI must remain protected when personnel actions occur.
In a Microsoft 365 GCC High environment, this requirement is implemented primarily through identity lifecycle management. When a termination occurs, administrators should disable the user account immediately, revoke active sessions, and remove the user from all security groups that grant access to CUI resources.
Transfer events require similar attention. When employees move between roles or departments, administrators should review group memberships and remove access that is no longer necessary.
Organizations usually implement a termination checklist that coordinates HR notifications, account disablement, device wipe procedures, and property return tracking.
Microsoft Entra ID provides the technical capabilities needed to enforce these actions. Administrators can disable accounts, revoke sessions, remove group memberships, and wipe managed devices through Intune.
Some organizations also automate parts of this process through Entra ID Lifecycle Workflows, which can trigger identity actions when employment status changes.
PS family PowerShell Commands
Personnel Security controls are operational processes, but administrators frequently use PowerShell to execute termination actions or verify account status.
Disable a terminated user account
# 4. Remove from all groups (removes M365 access)
Connect-MgGraph -Environment USGov -Scopes "GroupMember.ReadWrite.All"
$userId = (Get-MgUser -UserId "terminated.user@contoso.us").Id
$groups = Get-MgUserMemberOf -UserId $userId
foreach ($group in $groups) {
Remove-MgGroupMemberByRef -GroupId $group.Id -DirectoryObjectId $userId -ErrorAction SilentlyContinue
}
Revoke active user sessions
Invoke-MgInvalidateUserRefreshToken -UserId "terminated.user@contoso.us"
Export inactive accounts for review
Connect-MgGraph -Environment USGov -Scopes "AuditLog.Read.All" Get-MgAuditLogSignIn -Filter "createdDateTime lt $(Get-Date).AddDays(-90)" | Select UserPrincipalName, CreatedDateTime | Export-Csv PS_InactiveAccounts.csv -NoTypeInformation
These commands are often used to confirm that accounts have been disabled and that no inactive accounts remain in the environment.
Evidence your C3PAO will likely want to see
Assessors reviewing Personnel Security controls typically start with documentation describing the organization’s screening and termination procedures.
They then verify that the documented procedures are actually followed by comparing personnel records, account creation timestamps, and termination records.
| Control | Evidence examples | What the assessor verifies |
|---|---|---|
| 3.9.1 Personnel Screening | Screening policy and screening records. | Individuals are screened before access is granted. |
| 3.9.2 Personnel Actions | Termination procedures, audit logs, disabled accounts. | Access removed promptly after personnel changes. |
Common assessment findings across the PS Family
One of the most common issues appears when organizations cannot demonstrate that screening occurred before account creation. Screening policies may exist, but records linking screening completion to the provisioning process are often missing.
Termination procedures also create frequent findings. Assessors regularly encounter accounts that remain active after an employee has left the organization. Even a delay of a day or two between termination and account disablement can raise questions about the effectiveness of personnel action procedures.
Another common problem is the presence of orphaned accounts belonging to former employees. Periodic account reviews help prevent this situation.
Organizations also sometimes overlook contractors when implementing screening and termination processes. Anyone with access to systems containing CUI must fall within the same personnel security procedures.
How the Personnel Security family supports other control families
Personnel Security controls support several other control families by ensuring that only authorized individuals have access to sensitive systems.
Access Control and Identification and Authentication controls depend on accurate user lifecycle management. When accounts are disabled promptly and access is updated during role changes, those technical controls remain effective.
Personnel actions also reinforce Incident Response and Configuration Management processes. Removing access quickly reduces the risk that former employees or contractors could access systems after leaving the organization.
In practice, organizations that manage personnel actions carefully often experience fewer issues across multiple control families because identity management remains tightly aligned with employment status.
Get started
Personnel Security controls focus on one of the most critical moments in any security program: the transition between employment and system access.
During a CMMC assessment, organizations must demonstrate that individuals were screened before receiving access under PS.L2-3.9.1 and that access is promptly revoked when personnel actions occur under PS.L2-3.9.2.
Secureframe Defense helps organizations track user lifecycle events and maintain evidence showing that screening and termination procedures are followed consistently across their GCC High environment.
See how Secureframe Defense automates CMMC evidence collection for the PS family by scheduling a demo with a product expert.
Streamline your compliance with CMMC
Emily Bonnie
Senior Content Marketing Manager
Emily Bonnie is a seasoned digital marketing strategist with over ten years of experience creating content that attracts, engages, and converts for leading SaaS companies. At Secureframe, she helps demystify complex governance, risk, and compliance (GRC) topics, turning technical frameworks and regulations into accessible, actionable guidance. Her work aims to empower organizations of all sizes to strengthen their security posture, streamline compliance, and build lasting trust with customers.
Anna Fitzgerald
Senior Content Marketing Manager
Anna Fitzgerald is a digital and product marketing professional with nearly a decade of experience delivering high-quality content across highly regulated and technical industries, including healthcare, web development, and cybersecurity compliance. At Secureframe, she specializes in translating complex regulatory frameworks—such as CMMC, FedRAMP, NIST, and SOC 2—into practical resources that help organizations of all sizes and maturity levels meet evolving compliance requirements and improve their overall risk management strategy.