§ Trackr.Live

PS — Personnel Security

Personnel Security is the control family that admits people are part of the attack surface. PS governs the human side of access across the employment lifecycle: how you decide a position is sensitive, how you vet the person in it, what they sign, what happens when they move teams or walk out the door, and what you do when they break the rules. It does not provision their accounts (that is AC-2) or authenticate them (that is IA). PS decides whether you should trust the human at all, and on what terms.

A schematic of the employment lifecycle as a loop: an applicant figure passing through a screening gate, into an access enclave, then out through a termination gate, with a credential being revoked at exit.

The common framing reduces PS to “insider threat,” and that is too narrow. Malicious insiders are one tail of the distribution. The bulk of what PS controls is mundane trust hygiene: the contractor whose clearance lapsed, the transferred analyst who kept their old project’s access, the terminated employee whose account stayed live for three weeks because nobody told IT. Most PS failures are administrative drift, not espionage. An SSP narrative that talks only about malicious actors is describing a movie, not the control.

PS is an SP 800-53 catalog family, not a stage of the RMF. The RMF is the SP 800-37 process (Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor). PS controls get pulled in at Select off the 800-53B baseline, implemented at Implement, graded at Assess. What is unusual about PS is how low the bar sits: PS-1 through PS-9 are all allocated at the Low baseline, so even a Low-impact system carries the entire family. There is no “we’re only Low, PS doesn’t really apply” escape hatch, and assessors know it.

What’s in the family

In Rev 5 the PS family runs PS-1 through PS-9 and, unlike some families, nothing in that range is withdrawn. All nine are live. The Rev 5 cleanup renamed the -1 control to the standard “Policy and Procedures” form and renamed PS-7 from “Third-Party Personnel Security” to External Personnel Security. An SSP still saying “Third-Party” is quoting Rev 4, the kind of small staleness an assessor uses to gauge how current the rest of the document is.

PS-1, Policy and Procedures. The org-level personnel-security policy and the procedures that operationalize it. Like every -1, everything below inherits from it, and it is the first thing pulled in an assessment.
PS-2, Position Risk Designation. A risk or sensitivity level for each position. The spine of the family, because PS-2 drives the screening depth in PS-3. Get the designation wrong and every downstream screening decision inherits the error.
PS-3, Personnel Screening. Screen before granting access, rescreen on a defined cadence. The depth keys off PS-2: a Low-risk position needs a basic check, a Critical-Sensitive national-security position pulls a full background investigation and clearance adjudication.
PS-4, Personnel Termination. The offboarding control. Disable access, retrieve credentials and property, run exit interviews where required, inside a defined window. PS-4(2) adds automated notification to the people who flip the switches. Where the family most often bleeds into AC-2, and the single most-checked thing in PS (more below).
PS-5, Personnel Transfer. The internal-move control, and the one people forget. On a role change, old access is supposed to be reviewed and trimmed, not stacked on top of the new grants. Transfer is where least-privilege quietly dies.
PS-6, Access Agreements. The signed paperwork: rules of behavior, NDAs, acceptable-use, nondisclosure for sensitive data. Signed before access, re-signed on a cadence or when terms change.
PS-7, External Personnel Security. Contractors, integrators, and other third-party staff. You push your PS requirements onto the provider by contract and verify they screen their people. It is also where you define who notifies you when a contractor’s status changes, the part everyone leaves vague.
PS-8, Personnel Sanctions. The consequences side: a formal process for personnel who break security policy, with the right people notified when it triggers. Toothless on paper at most orgs, but the control wants it documented and real.
PS-9, Position Descriptions. Position descriptions include the security roles and responsibilities for the role. New-ish prominence in Rev 5, and it closes the loop with PS-2: the risk designation and the documented duties should agree.

Baselines and where the controls come from

The baselines moved out of the catalog in Rev 5 and live in SP 800-53B now, the document you tailor against. FIPS 199 sets categorization, FIPS 200 the minimum-security floor, and 800-53B turns the impact level into a starting set. National-security systems use CNSSI 1253; FedRAMP and DoD (via DoDI 8510.01) layer their own overlays on top.

For PS the tailoring conversation is rarely about removing controls. It is about depth, and that depth comes from outside 800-53. OPM position-sensitivity designations and the suitability rules in 5 CFR 731, plus the SEAD-series clearance guidance, set how hard PS-2 and PS-3 actually bite. The 800-53 control tells you to designate and screen; it does not give you the tier structure. The SSP has to point at the real authority, not paraphrase the catalog.

Deeper: PS-2 is load-bearing and almost nobody treats it that way.
Position Risk Designation looks like an HR formality, a box on a form. It is actually the input that sets screening depth, reinvestigation cadence, and clearance level for every person in that seat. The federal scheme runs Low through Moderate and High Risk for public-trust positions, and separately Noncritical-, Critical-, and Special-Sensitive for national-security positions, with the investigation tier (the old Tier 1 through Tier 5 structure, now folding into Trusted Workforce) keyed to the designation. Do PS-2 lazily and every seat gets stamped Low, so you are screening a DBA with root on a Moderate system to the same depth as a receptionist. The reinvestigation clock keys off the designation too, so people sit on stale investigations past their interval and nobody flags it. Assessors who know the family pull a few high-access roles and check the designation against the actual access. A privileged sysadmin designated Low Risk is a finding, and it points straight back at PS-2.

Control	Typical first live at	What an assessor actually checks
PS-2	Low	Pull a sample of high-access roles; confirm the risk designation matches the sensitivity of what they can touch.
PS-3	Low	Screening records exist and predate access; reinvestigation dates are current for the assigned tier.
PS-4	Low	Sample terminated employees against the account directory. Live accounts post-termination = finding. Check the disable timestamp against the policy window.
PS-5	Low	Pick someone who changed roles; confirm old access was reviewed and trimmed, not just added to.
PS-6	Low	Signed access agreements on file, dated before access, current for anyone still active.
PS-7	Low	Contract language imposes the org’s PS requirements; evidence the provider actually screens.
PS-8	Low	A documented sanctions process exists and the notification chain is real.
PS-9	Low	Position descriptions name the security roles and duties; cross-check the designation against PS-2.

Treat “first live at” as directional. Overlays pull enhancements in earlier, and DoD systems carry clearance requirements 800-53B alone doesn’t capture.

The offboarding gap: PS-4 meets AC-2

Here is the cross-family seam every assessor probes, because it fails constantly. PS-4 says terminate access on departure. AC-2 says manage the account lifecycle, disable and removal included. The two live in different families, get written by different people in the SSP, and depend on a handoff that is almost always manual: HR knows someone left, IT has to act on it, and the gap between those two facts is where terminated accounts stay live.

The mechanics are boring and reliable. HR processes the separation. A nightly feed, a ticket, an email, or (worse) a phone call is supposed to tell identity management to disable the account. The feed runs late, the ticket sits in a queue, or the manager forgot to file it because the last day was a Friday and the form is annoying. Now a live account with valid credentials belongs to someone who no longer works there, and depending on your SSO posture it may still hit a dozen downstream systems.

What an assessor does about it is simple. Pull separations from HR for the last quarter, pull the current directory, join them. Any terminated person with an enabled account is a finding, and the disable timestamp tells the rest. If policy says 24 hours and the timestamps show a five-day median, the control is Other Than Satisfied regardless of the narrative.

The fix is to stop pretending the HR-to-IT handoff is reliable and instrument it. Feed terminations from the authoritative HR system into your IGA or directory so the disable is a consequence of the HR action, not a separate human step, and run the cross-check yourself before the assessor does. AC-2(3) inactivity-based disable is the cheap backstop: an account auto-disabled after 35 days idle catches the offboarding the workflow dropped entirely. PS-4 and AC-2 should tell the same story in the SSP. When they contradict, the assessor believes the directory, not the prose.

Where else it goes brittle

PS-5 transfer is the quiet one. Termination has a clear trigger. Transfers don’t, because the person is still an employee, still has a badge, still shows up. Their access just accretes. The control wants the old access reviewed against the new role, and that review is the step everyone skips. The result is the eleven-year employee who can touch everything three departments ago could. Cross-reference PS-5 against AC-6 least privilege and the same finding lands from two directions.

PS-7 external personnel and the notification gap. You can write screening requirements into a contract. The part that breaks is offboarding: when a contractor rolls off, who tells you to kill their access? The prime’s PM, in theory; in practice the notification is informal and slow, and contractor accounts outlive engagements routinely. Same offboarding failure as PS-4, except the trigger lives in an org you don’t control.

PS-8 sanctions as paperwork. Most orgs have a sanctions policy and have never invoked it. Fine for the control, which asks for a process and a notification chain, not a body count. The brittle part is the notification: if the only people who hear about a fired-for-cause employee are HR and a manager, the security side never learns that someone with access just turned hostile.

Artifacts

PS evidence is more documentary than technical, which trips up engineers who expect to point at a config. The SSP carries the narratives, but the real evidence lives in HR and security records: risk designations, screening and investigation records, signed access agreements, separation logs, transfer reviews, the sanctions policy. The SAR is the verdict; the POA&M holds what failed.

The fastest way to fail a PS assessment is an SSP that restates the catalog. “The organization screens personnel commensurate with risk designations” tells the assessor nothing. Which designation scheme? Which investigation tiers? What is the PS-4 disable window in hours, and can you show timestamps that meet it? Narratives that would slot unchanged into any other org’s SSP are too generic, and generic is the most common reason these come back Other Than Satisfied.

Sources

Adjacent material on this site

AC, Access Control (where PS-4 termination meets AC-2 account disable, and PS-5 meets AC-6 least privilege)
IA, Identification and Authentication (authenticating the people PS decides you can trust)
AT, Awareness and Training (the training the access agreements in PS-6 commit people to)
RMF control families overview
RMF roadmap