STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← All Controls

PS-7

Personnel SecurityRev 5organization

External Personnel Security

Baselines:LowModerateHigh

Control Statement

a. Establish personnel security requirements, including security roles and responsibilities for external providers; b. Require external providers to comply with personnel security policies and procedures established by the organization; c. Document personnel security requirements; d. Require external providers to notify [Assignment: personnel or roles] of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within [Assignment: time period] ; and e. Monitor provider compliance with personnel security requirements.

Supplemental Guidance

External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure the appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and the nature of credentials or privileges associated with transferred or terminated individuals.

Related Controls (12)

AT-2AT-3MA-5PE-3PS-2PS-3PS-4PS-5PS-6SA-5SA-9SA-21

CCI Identifiers (9)

CCI-001539Establish personnel security requirements including security roles and responsibilities for external providers.CCI-001540Document personnel security requirements.CCI-001541Monitor provider compliance with personnel security requirements.CCI-003043Defines the time period for external providers to notify organization-defined personnel or roles when external personnel who possess organizational credentials and/or badges, or who have system privileges are transferred or terminated.CCI-003040The organization requires third-party providers to comply with personnel security policies and procedures established by the organization.CCI-003041Require external providers to notify organization-defined personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within an organization-defined time period.CCI-003042Defines personnel or roles whom external providers are to notify when external personnel who possess organizational credentials and /or badges or who have system privileges are transferred or terminated.

Linked STIG Checks (0)

No STIG checks reference this control.

CCI-004519
Require external providers to comply with personnel security policies established by the organization.
CCI-004520Require external providers to comply with personnel security procedures established by the organization.