Welcome to our comprehensive Personnel Security (PS) Guide for CMMC Level 2.0 Compliance. This guide is designed specifically to support small and medium-sized businesses, as well as DoD contractors, in achieving Personnel Security compliance & gathering evidence for CMMC Level 2.
In this guide, we provide a clear and practical approach to navigating the personnel security requirements set out in CMMC Level 2.0. From personnel screening processes to updating your System Security Plan (SSP), we’ll guide you through each essential control with actionable steps and evidence-gathering tips to meet compliance with confidence.
To ensure your team is fully prepared for certification, we offer expert consultations designed to simplify complex requirements and expedite your path to compliance. Schedule your free Consultation Now!
What our clients say
We hired Adelia Risk as our CMMC compliance consultant, and they delivered exactly what we needed — clear guidance, real expertise, and zero fluff.
They identified gaps, prioritized remediation, and built the documentation we actually needed (SSP, POA&M, policies, evidence collection) while keeping things practical for a real business environment.
Communication was fast, timelines were met, and every recommendation came with a clear “why” in plain English. They didn’t hand us a checklist and vanish. They stayed engaged and made sure we understood what to do next. Highly recommend.
Steven R., CMMC Client
Military Manufacturer from Michigan
We engaged Adelia Risk as our CMMC compliance consultant early in our journey, and they were incredibly patient as we went through the “discovery learning” phase.
Despite some self-induced setbacks on our end, they’ve always been available, prompt, and willing to go out of their way to help us reach compliance.
They’re more than a vendor — they’re an extension of our team. When answers aren’t immediately available, they research it and follow up with clear direction. That commitment to getting it right is what sets this CMMC compliance service apart.
Scott F., CMMC Client
Defense Contractor from Montana
PS.L2-3.9.1 – SCREEN INDIVIDUALS FOR PERSONNEL SECURITY
“Screen individuals prior to authorizing access to information systems containing CUI.”
Level Of Effort: Low
This control means that businesses have to check how trustworthy people are before letting them use systems with Controlled Unclassified Information (CUI).
Recommendations:
- Conduct criminal background checks: The usual way companies handle this is by doing criminal background checks on new employees or current employees who haven’t been checked before.
Evidence:
- For conducting background checks: Keep records of these background checks. Also, update your System Security Plan (SSP) to show that you’re keeping track of who’s been checked and that you’re following this screening process.
PS.L2-3.9.2 – PERSONNEL ACTIONS
“Ensure that CUI and information systems containing CUI are protected during and after personnel actions such as terminations and transfers.”
Level Of Effort: Low
This control makes sure that systems with CUI stay safe when people change jobs or leave the company. It requires a plan for turning off their system access. Follow this plan carefully whenever there’s a change in personnel.
Recommendations:
- Checklists for new and leaving employees: Make lists that help you keep track of important steps. When new people or contractors come in, you need to check their backgrounds. It’s also important to carefully decide who gets to access your systems and the CUI. And don’t forget, they need the right training too.
Evidence:
- Using checklists: Keep these checklists and update your SSP with this info. This shows you’re paying attention to these important steps.
A quick tip: You can find examples of Termination Checklists here. You can change them a bit to fit what your company needs. They’re a good starting point to make sure you’re doing everything right when someone leaves the company.
Need Help With Other CMMC Controls?
- Access Control (AC) Guide
- Awareness and Training (AT) Guide
- Audit and Accountability (AU) Guide
- Configuration Management (CM) Guide
- Identification and Authentication (IA) Guide
- Incident Response (IR) Guide
- Maintenance (MA) Guide
- Media Protection (MP) Guide
- Physical Protection (PE) Guide
- Risk Assessment (RA) Guide
- Security Assessment (CA) Guide
- System and Communications Protection (SC) Guide
- System and Information Integrity (SI) Guide
