Does CMMC Require Background Checks?

You may think of the Cybersecurity Maturity Model Certification (CMMC) as a framework that deals exclusively with the technical side of cybersecurity. However, the human factor also plays a role in IT. So, does CMMC require background checks? Keep reading to find out.

What Is CMMC?

The Cybersecurity Maturity Model Certification is a three-level model created by the Department of Defense (DoD) to ensure that Defense contractors take adequate provisions to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

CMMC is divided into three progressively advanced levels:

Level 1: Foundational (17 practices)
Level 2 : Advanced (110 practices aligned with NIST SP 800-171)
Level 3: Expert (110+ practices based on NIST SP 800-171 and 800-172)

To learn more about different aspects of CMMC, read our previous blogs: “What Are CMMC Controls?” and “CMMC for Small Businesses: a Starter Kit.”

What Are Background Checks?

A background check (or background screening) is a process that helps corroborate aspects of an individual’s life such as criminal record, employment history, and academic achievements.

Background checks are typically carried out when an individual applies for a job or before they are promoted to a position that entails access to sensitive information.

Whether it’s a private employer or a government agency, any entity carrying out a background check is required to comply with a number of local and federal laws (such as the Fair Credit Reporting Act) in order to preserve the rights of the person whose data is being screened.

CMMC and Background Checks

So, does CMMC require background checks? The answer is “it depends.”

CMMC Level 1 does not contemplate a background check requirement. However, CMMC Level 2 does. And although the practices that will constitute CMMC Level 3 are still being defined, CMMC levels are progressive, which means that any requirement included in CMMC Level 2 will also be part of CMMC Level 3.

In other words, if you aspire to attain CMMC Level 2 or higher, then you’ll need to deal with a screening requirement.

More specifically, the CMMC domain Personnel Security (PS) mandates the practice Screen Individuals (PS.L2-3.9.1), which requires Defense contractors to “Screen individuals prior to authorizing access to organizational systems containing CUI.”

This means that you will need to ensure that all employees who need access to Controlled Unclassified Information (CUI) undergo appropriate background screening before being granted access.

The type of screening to be performed will be based on the requirements for a given position and role. This may include, among others, criminal background and credit checks.

As you tackle this aspect of CMMC compliance, seek the assistance of a specialized company to ensure that your screening program as well as the decisions you make comply with all applicable legislation.

Need To Achieve CMMC Compliance? We Are Here To Help

Whether it’s CMMC, NIST SP 800-171, DFARS, or ITAR, we help organizations achieve compliance with all applicable cybersecurity regulations at any level so that they can win and maintain Department of Defense (DoD) contracts.

Brea Networks, LLC is a fully Registered Provider Organization (RPO) and is a Microsoft partner with full Microsoft GCC High licensing and migration solutions.

Contact our CMMC Registered Practitioners today by clicking here.