CMMC v2.11 Practices

PS.L3-3.9.2e  

Reference: CMMC v2.11

Family: PS

Level Introduced: 3

Title: Adverse Information

Practice:
Ensure that organizational systems are protected if adverse information develops or is obtained about individuals with access to CUI.

Further Discussion:
According to Defense Counterintelligence and Security Agency, or DCSA (Industrial Security Letter ISL 2011-04, revised July 15, 2020), adverse information consists of any information that negatively reflects the integrity or character of an individual. This pertains to an individual’s ability to safeguard sensitive information, such as CUI. Adverse information may simply be a report showing someone has sent sensitive information outside the organization or used unapproved software, against company policy. An organization may receive adverse information about an individual through police reports, reported violations of company policies (including social media posts that directly violate company policies), and revocation or suspension of DoD clearance.

When adverse information is identified about a given individual, the organization should take action to validate that information resources accessible by the individual have been identified and appropriate protection mechanisms are in place to safeguard information and system configurations. Based on organizational policy, an individual’s access to resources may be more closely monitored or restricted until further review. Logs should be examined to identify any attempt to perform unauthorized actions.

Example
You learn that one of your employees has been convicted on shoplifting charges. Based on organizational policy, you report this information to human resources (HR), which verifies the information with a criminal background check [a,b,c]. Per policy, you increase the monitoring of the employee’s access to ensure that the employee does not exhibit patterns of behavior consistent with an insider threat [d]. You maintain contact with HR as they investigate the adverse information so that you can take stronger actions if required, such as removing access to organizational systems.

Potential Assessment Considerations
• Does the organization define the protection mechanisms for organizational systems if adverse information develops or is obtained about an individual with access to CUI [d]?

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

Source: CMMC v2.11