PS-7: External Personnel Security
From NIST's SP800-53:
a. Establish personnel security requirements, including security roles and responsibilities for external providers; b. Require external providers to comply with personnel security policies and procedures established by the organization; c. Document personnel security requirements; d. Require external providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within [Assignment: organization-defined time period]; and e. Monitor provider compliance with personnel security requirements.
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
SP800-53 Control Mapped to NIST Cyber Security Framework
Generated from NISTs SP800-53/CSF Crosswalk mappings.
| Control ID | Description |
|---|---|
| ID.GV-2 | Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners |
| PR.IP-11 | Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening) |
| DE.CM-6 | External service provider activity is monitored to detect potential cybersecurity events |
| ID.SC-4 | Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations. |
| PR.AT-3 | Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities |
| ID.AM-6 | Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established |