3.9.1 — Screen Before Access

The One-Liner

If someone accesses CUI before their background check clears, you’ve given access to an unvetted person.

What It Says

Screen individuals prior to authorizing access to organizational systems containing CUI.

What It Actually Means

Every person — employee, contractor, or temporary worker — must pass an organization-defined background screening before they are granted access to any system containing CUI. No access until the check clears.

What the assessor checks:

1. Screening is defined. You have a documented policy specifying what screening is required, what it covers (criminal history, employment verification, credit check, etc.), and what thresholds apply. The level of screening should match the sensitivity of access — someone with access to the entire CUI repository may warrant more thorough screening than someone with limited access.

2. Screening happens before access. The timeline matters. CUI system access is not provisioned until HR confirms the background check has cleared. No “provisional access while we wait for results.” The assessor will compare the date of the background check clearance against the date of first system access.

3. Contractors are included. This isn’t limited to employees. Contractors, subcontractors, and temporary personnel who will access CUI systems must also be screened. Your MSA or subcontract should specify screening requirements.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Are individuals screened prior to authorizing access to CUI systems?	Background check completion date precedes system access provisioning date for every user

---

What to Have Ready on Assessment Day

Documents they’ll review: Personnel security policy; screening procedures; records of completed screenings (dates and outcomes); system security plan; evidence showing access was not provisioned before screening cleared

People they’ll talk to: Personnel with HR/security screening responsibilities; information security personnel; hiring managers

Live demos they’ll ask for: “Show me a recent hire — when did their background check clear? When were they given CUI access?” “What screening do you require for contractors?”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “What screening do you require before granting CUI access?”
• “Show me a recent hire’s timeline — background check date vs. access provisioning date.”
• “Are contractors screened to the same standard as employees?”
• “What happens if a background check comes back with a flag?”
• “Is there any scenario where someone gets CUI access before screening completes?”

Real-World Example

A defense contractor requires criminal background checks and employment verification for all personnel before CUI access. HR manages the process through a third-party screening provider. The offer letter is conditional on clearance. IT does not provision Entra ID accounts with CUI group membership until HR sends a “screening cleared” confirmation via the ITSM ticketing system. Contractors are screened under the same policy — the MSA specifies that the subcontractor must provide evidence of equivalent screening before personnel are assigned. The assessor reviews three recent hires: all show background check completion dates at least two business days before the CUI access provisioning date in Entra ID.

---

Where Companies Trip Up

Access before screening. New hire gets a laptop and CUI access on day one while the background check is still pending. The fix: don’t provision CUI system access until HR confirms the screening is complete. General onboarding (email, non-CUI systems) can proceed, but CUI access waits.

No contractor screening. Employees are screened but contractors aren’t — “that’s their employer’s responsibility.” Your policy and MSA must ensure screening happens regardless of employment relationship. You need evidence.

No documented process. Screening happens informally but there’s no written procedure or record-keeping. Document the policy, the screening requirements, and keep records of completion dates.

---

How to Talk About This

To a CEO or Board

Nobody gets CUI access until they’ve passed a background check — employees and contractors alike. Access is not provisioned until HR confirms the screening is complete.

To an Engineering Team

HR screening via third-party provider. CUI Entra ID group membership not provisioned until “screening cleared” ticket from HR. Contractor requirements in MSA. Records: screening completion date, access provisioning date, both auditable.

---

Connected Requirements

Requirement	Why it matters here
3.9.2 — Revoke on Departure	The offboarding counterpart — remove access when people leave
3.1.1 — Who Gets In	Screening feeds the authorization decision for system access
3.5.1 — Prove Who You Are	Screened individuals receive unique identities for CUI access

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: PS.L2-3.9.1 | SPRS Weight: 3 points | POA&M Eligible: No