Personnel Security (PS)

What is Personnel Security (PS)?

Personnel Security (PS) protects information systems by focusing on the people who access them. It ensures that individuals in positions of responsibility — including third-party service providers — are trustworthy and meet established security requirements before they receive access or credentials. It also ensures that CMS protects its systems and data during and after personnel actions such as transfers or terminations. 

CMS also has sanctions in place when individuals fail to follow security policies and procedures. Federal Personnel Security standards incorporate continuous evaluation/continuous monitoring process where initial suitability/fitness decisions can be constantly evaluated considering new information reported to or discovered by the Division of Personnel Security for all CMS employees and contractors.

How PS works at CMS  

To maintain the security of its information systems CMS utilizes the Personnel Security (PS) controls in the CMS ARS. This includes screening employees and contractors before granting access, managing risk designations for job roles, and updating access during transfers or terminations. 

CMS follows strict federal guidelines through policies like IS2P from HHS, and requires signed access agreements from all users. Security responsibilities are clearly defined, and CMS applies formal sanctions for policy violations. Third-party personnel must also meet these security standards. 

All actions are coordinated across departments to protect systems, data, and facilities at every stage of employment. This page is reviewed annually to ensure the information provided is current and relevant to CMS. 

Related Policies and Authorities 

The Department of Health and Human Services (HHS) has provided the HHS Policy for Information Systems Security and Privacy Protection (IS2P), a policy framework used to safeguard data and systems from Information and Technology (IT) threats that meets the standards outlined in NIST Special Publication 800-53. 

From the requirements listed in IS2P, CMS created the Acceptable Risk Safeguards (ARS). The ARS outlines the minimum security and privacy standards that CMS and its contractors must follow. Additionally, CMS has the CMS Information Systems Security and Privacy Policy (IS2P2) to define roles and responsibilities to ensure compliance with ARS 5.1 and IS2P. 

CMS, through signed delegation of authority, has delegated the authority to the Director, Division of Personnel Security (DPS) within the Security Management Group (SMG), in the Office of Security Facilities and Logistics Operations (OSFLO), to “establish and administer policies and procedures for the CMS Personnel Security program regarding background investigation processing and suitability adjudications for CMS employees and contractors,” including the authority to “make suitability determinations and take suitability actions.”

Key Security Measures 

Policy and Procedures 

Personnel security measures are kept in line with applicable laws, executive orders, policies, directives, regulations, standards, and guidelines. CMS designates a CISO to manage the development, documentation, and dissemination of these controls in the ARS. These controls ensure: 

• Information systems are using measures consistent with federal requirements
• Processes and procedures are established to support implementation
• Additional safeguards are applied to roles with access to sensitive data like PII and PHI
• Individuals in positions of responsibility, including third-party providers, are trustworthy and meet security criteria
• Systems and information are protected during personnel actions such as hiring, terminations, and transfers
• Formal sanctions are applied to personnel who violate security policies 

Personnel Security Policies are developed to align with the ARS and federal requirements. CMS DPS reviews and updates the personnel security policies, procedures, and standards annually or after defined events specified in the System Security Privacy Plan (SSPP). 

Position Risk Designation 

CMS assigns appropriate risk designations to organizational positions, establishes screening criteria for individuals filling those roles, and routinely reviews and updates these designations. The Office of Personnel Management (OPM) manages the Position Designation Automated Tool (PDT), which helps agencies identify position designations. There are three position sensitivity designations — non-sensitive, public trust, and national security — which align with six sensitivity levels (1–6). 

CMS does not have positions designated for national security but does employ non-sensitive and public trust positions. Individuals with significant security responsibilities must have at least a Level 5 Public Trust investigation. Investigations for the various levels are conducted through the Defense Counterintelligence and Security Agency (DCSA) then results returned to CMS for adjudication decisions from the Office of Security Facilities and Logistics Operations, Security Management Group, Division of Personnel Security. 

Within the Security Management Group (SMG) the Division of Credentialing Operations (DCO) performs the prescreening security process and handles the initiation of background investigations, and the Division of Personnel Security (DPS) handles the adjudication of background investigations based on position sensitivity for both employees and contractors. Together DCO and DPS work with various CMS components to determine appropriate sensitivity levels for all personnel accessing CMS data or facilities and provide consultation and training on sensitivity designation to managers, executives, project officers, contractors, and the Office of Human Capital (OHC). 

The Identity and Credentialing Tool (ICT) is used to conduct training on the PDT and related tools. Reviews and, if necessary, updates to position risk designations occur at least every three (3) years or whenever a position’s duties are changed/revised/realigned and ensure that these risk designations are consistent with OPM policy and guidance. 

Personnel Screening 

Individual screening and background checks are completed: 

• Prior to access authorization
• Periodical rescreens based on level, time and position
• Anytime employees move to a higher-risk position 

Contractors changing contracts must receive new Personal Identity Verification (PIV) credentials and a CMS User ID through the Identity and Credentialing Tool (ICT). CMS does not grant logical access until individuals receive an interim PIV eligibility designation and sign the required access agreements. CMS, under HHS direction, requires individuals with significant security responsibilities to hold at least a Level 4 Public Trust, as outlined by HHS with submission of an HHS-745. Contractors submit these forms within ICT through the COR, Information System Security Officer (ISSO), manager, to DCO who initiates the investigation. 

In accordance with 5 CFR 731.104(c), seasonal positions lasting less than six months do not require a background investigation, but contracting organizations must conduct such checks as CMS deems appropriate to ensure the suitability of the person. CMS is exercising additional controls by requiring all seasonal contractor organizations to conduct and perform their own vetting as stated in the CMS Security Clause, outlined in each contract, to ensure the suitability of each applicant. CMS will enforce this vetting process and standard on this class of contracted individuals.   

Personnel Termination 

Upon termination CMS promptly removes both logical and physical access for users who separate voluntarily or involuntarily and ensure that all agency-issued items are returned. This process requires timely coordination among stakeholders, including OHC, Human Resources (HR), Contracting Officer Representatives (CORs) for contractors, managers for federal employees, ISSO, business owners, and others identified in each system's System Security and Privacy Plan (SSPP). 

When a contractor departs, the COR works with the contracting company to retrieve CMS-issued items such as PIV cards, laptops, and other devices. For federal employees, the first-line supervisor is responsible for collecting these items before the employee leaves. HR notifies DPS via email about departing personnel, the equipment to be collected, and the access to be revoked. DPS then coordinates with the appropriate points of contact to ensure timely revocation of access and return of items. In cases of involuntary separation, individuals are escorted off CMS premises immediately, and access must be revoked during the separation process to prevent potential sabotage or malicious activity. Prior coordination with the Division of Physical Security Operations (DPSO) is required for these cases. 

Additionally, OHC conducts exit interviews, particularly for employees with security clearances, to review signed access agreements, including those related to the nondisclosure of security and privacy information. Notification of termination to defined personnel or roles (defined in the applicable security plan) occurs within one (1) calendar day. 

Personnel Transfer 

When an individual is permanently or temporarily reassigned to new roles within the organization, CMS reviews and updates their physical and logical access. Like the personnel termination process, managers or CORs must notify DPS when a transfer occurs. For contractors, this usually means revoking and reassigning all logical and physical access as they transition to a new contract, triggering a new access request process. 

For employees, who often take on temporary roles in different CMS components, managers must coordinate with the system owner, ISSO, and business owner to determine whether access should be revoked or equipment returned based on the duration of the transfer. Upon notification, OSSO/DPS manages badge and physical access, while the system owner alerts relevant parties listed in the System Security and Privacy Plan (SSPP) and contacts the CMS Access Administrator (CAA) for logical access and job code updates. Physical and system access should be revoked immediately upon transfer, and access must be reassessed within 30 days for any change in trust level. 

The manager is responsible for evaluating ongoing access needs and initiating necessary actions, including confirming or reissuing system-related property, notifying security, closing old accounts and opening new ones, modifying access as needed, and informing designated personnel within one business day. 

Access Agreements 

All users of CMS information systems read, understand, and agree to follow the rules and restrictions tied to their access. These agreements may include: 

• Non-Disclosure Agreements (NDAs)
• Acceptable use policies
• Rules of Behavior (RoB) 

Users must complete the required access agreements before receiving logical access. CMS uses the HHS Policy for Rules of Behavior for Use of HHS Information and IT Resources as the standard access agreement, and all new users must read and sign the accompanying acknowledgment form before accessing department data, systems, or networks. This acknowledgment must be renewed every three hundred and sixty-five (365) days, typically through the annual Information Systems Security and Privacy Awareness Training provided via CMS’s Learning Management System (LMS). CMS tracks compliance through the EUA system and revokes access for users who fail to complete the required annual recertification. Users without EUA access should contact their Contracting Officer (CO) or COR for guidance. 

External Personnel and Security 

Third-party individuals who need logical or physical access to CMS systems, data, or facilities must comply with the organization’s security requirements. These third parties include service bureaus, contractors, and other providers involved in system development, IT services, outsourced applications, and network or security management. Security requirements for third-party personnel are outlined on security.cms.gov and are integrated into the acquisition process as described in the System and Services Acquisition RMH Chapter 15 (SA-4). The Business Owner (BO) or ISSO works with the COR to identify, include, and enforce the necessary security and privacy requirements in all applicable contracts. 

Personnel Sanctions 

CMS ensures that users follow information security policies and procedures and establishes a process to address violations. When an employee violates these policies, the Division of Workforce Compliance (DWC) is notified, and a Labor and Employee Relations staff member works with the employee's manager to determine the appropriate disciplinary action. CMS follows the principles of progressive discipline, considering each case individually in line with: 

•  5 USC Chapter 75,
• 5 CFR Part 752,
• HHS instructions
• Article 23 of the Master Labor Agreement for bargaining unit employees  

Depending on the severity of the offense, disciplinary actions may include:  

• Letter of reprimand
• Suspension
• Removal from CMS and federal service 

For contractors, sanctions are handled differently and follow the terms outlined in the contract’s Statement of Work. The COR, manager, and the contractor’s organization manage the process. If a contractor with access to a high system commits a violation, notification must occur within three (3) calendar days, within seven (7) days for moderate systems, and within thirty (30) days for low systems.