NIST 800-53 REV 5 • PERSONNEL SECURITY

PS-9Position Descriptions

Incorporate security and privacy roles and responsibilities into organizational position descriptions.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Specification of security and privacy roles in individual organizational position descriptions facilitates clarity in understanding the security or privacy responsibilities associated with the roles and the role-based security and privacy training requirements for the roles.

Practitioner Notes

Job descriptions for positions with system access should include the security responsibilities of the role, the risk designation level, and any screening requirements. Security is part of the job, not separate from it.

Example 1: Update all position descriptions to include a section on security responsibilities. For example, a system administrator's job description should state they are responsible for patching, log review, account management, and compliance with the organization's security policies.

Example 2: In your HRIS, add custom fields to position descriptions for: risk designation level (low/moderate/high), required clearance level (if any), security certifications required, and security-specific duties. Use these fields to automate background check level selection and training assignment during onboarding.

More Personnel Security Controls

PS-1 Policy and Procedures PS-2 Position Risk Designation PS-3 Personnel Screening PS-3(1) Classified Information