NIST 800-53 REV 5 • PERSONNEL SECURITY
PS-7 — External Personnel Security
Establish personnel security requirements, including security roles and responsibilities for external providers; Require external providers to comply with personnel security policies and procedures established by the organization; Document personnel security requirements; Require external providers to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within {{ insert: param, ps-07_odp.02 }} ; and Monitor provider compliance with personnel security requirements.
Supplemental Guidance
External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure the appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and the nature of credentials or privileges associated with transferred or terminated individuals.
Practitioner Notes
When external personnel — contractors, consultants, or partner staff — need access to your systems, they must meet the same security requirements as your employees. Their sponsoring organization must agree to your security terms.
Example 1: Include personnel security requirements in all contracts: background check requirements, access agreement signing, security training completion, and termination notification timelines. Require the contractor company to notify you within 24 hours when one of their employees assigned to your contract is terminated.
Example 2: In Azure AD, create external contractor accounts as Guest Users with Conditional Access policies that require MFA and compliant devices. Assign them to Access Packages with automatic expiration dates aligned to their contract period. When the contract ends, access expires automatically.