NIST 800-53 REV 5 • PERSONNEL SECURITY
PS-2 — Position Risk Designation
Assign a risk designation to all organizational positions; Establish screening criteria for individuals filling those positions; and Review and update position risk designations {{ insert: param, ps-02_odp }}.
Supplemental Guidance
Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position. The PDS assessment also determines if the duties and responsibilities of the position present the potential for position incumbents to bring about a material adverse effect on national security and the degree of that potential effect, which establishes the sensitivity level of a position. The results of the assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations that individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations, establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions.
Practitioner Notes
Every position in your organization that involves access to information systems must be assigned a risk designation (low, moderate, or high) based on the potential damage someone in that position could cause. This determines the level of background screening required.
Example 1: Review every job description and assign a risk level. A system administrator with root access to servers is high risk. A general office worker with email-only access is low risk. Document these designations in a position risk matrix and use it to determine background check requirements.
Example 2: Work with HR to embed risk designations into your position description templates. When creating or modifying a position in your HRIS (Workday, ADP, BambooHR), include a required field for the IT risk designation so it is always documented and drives the appropriate screening process.