Personnel Security Policy¶
Document ID: AUL-POL-08 Version: 1.0 Classification: Internal Owner: Chief Technology Officer / ISSM Effective: TBD-YYYY-MM-DD Next Review: TBD-YYYY-MM-DD
1. Purpose¶
This policy establishes personnel security requirements for Aulendur Labs, Inc. to verify that individuals with access to information systems and CUI are trustworthy and meet security requirements before, during, and after their association with the organization. This policy implements NIST SP 800-171 Rev. 3 controls 03.09.01 (Personnel Screening) and 03.07.05 (Maintenance Personnel).
2. Scope¶
This policy applies to:
- Personnel: All employees, contractors, interns, advisors, and any individual who will be granted access to Aulendur information systems or data.
- Data: All classification levels, with enhanced screening for access to Confidential, CUI, and ITAR-controlled data.
- Third parties: Maintenance personnel, auditors, and service providers who require access to Aulendur facilities or systems.
3. Roles & Responsibilities¶
| Role | Responsibility |
|---|---|
| Chief Executive Officer (CEO) | Approves this policy; authorizes hiring decisions; signs offer letters. |
| Chief Technology Officer (CTO) / ISSM | Owns this policy; determines screening levels based on access requirements; reviews screening results; approves access grants. |
| Hiring Manager | Initiates screening requests for new hires and contractors; verifies screening completion before granting system access. |
| All Personnel | Cooperate with screening processes; report changes in personal circumstances that could affect eligibility. |
| Gusto (HR platform) | Facilitates background check initiation and record retention. |
4. Policy Statements¶
4.1 Pre-Employment Screening¶
4.1.1 All individuals shall undergo personnel screening before being granted access to Aulendur information systems. The screening level shall be commensurate with the sensitivity of the data and systems to be accessed (NIST SP 800-171 R3 03.09.01).
4.1.2 Aulendur Labs shall conduct the following minimum screening for all personnel:
| Screening Element | Internal/Confidential Access | CUI/ITAR Access |
|---|---|---|
| Identity verification (government-issued ID) | Required | Required |
| Criminal background check (7-year, all jurisdictions) | Required | Required |
| Employment history verification (5 years) | Required | Required |
| Education verification (highest degree claimed) | Required | Required |
| Reference check (2 professional references) | Required | Required |
| US person status verification | Not required | Required (for ITAR access per 22 CFR 120.16) |
| Credit check | Not required | Recommended |
| Active security clearance verification | Not required | If clearance required by contract |
4.1.3 Background checks shall be initiated through Gusto or an approved third-party screening provider. Results shall be reviewed by the CTO/ISSM before system access is granted.
4.1.4 Adverse findings in a background check shall be reviewed by the CEO and CTO/ISSM jointly. Access shall not be granted until both concur that the individual is suitable. The basis for the suitability determination shall be documented.
4.2 Access Agreements¶
4.2.1 Before receiving access to Aulendur systems, all personnel shall sign the following agreements:
- (a) Non-Disclosure Agreement (NDA) covering Confidential and proprietary information.
- (b) Acceptable Use Policy acknowledgment (AUL-POL-05).
- (c) Code of Conduct & Ethics acknowledgment (AUL-POL-06).
- (d) CUI Non-Disclosure Agreement — required for personnel with CUI access, acknowledging safeguarding obligations under DFARS 252.204-7012.
- (e) ITAR/EAR awareness acknowledgment — required for personnel with access to export-controlled data.
4.2.2 Signed agreements shall be retained in the individual's personnel file (Gusto or secure Google Drive folder) for the duration of the relationship plus 3 years.
4.3 Ongoing Personnel Security¶
4.3.1 Personnel shall report to the CTO/ISSM within 5 business days any change in personal circumstances that could affect their security suitability, including: (a) arrest or criminal charges, (b) foreign travel to high-risk countries, (c) contact by foreign intelligence services, (d) significant financial distress (bankruptcy, garnishment), or (e) changes in citizenship or immigration status.
4.3.2 The CTO/ISSM shall conduct periodic re-screening of personnel with CUI or ITAR access at least every 5 years, or more frequently if required by contract.
4.3.3 Personnel who fail to cooperate with screening or re-screening shall have their system access suspended until cooperation is obtained or the matter is resolved by the CEO.
4.4 Contractor and Third-Party Personnel¶
4.4.1 Contractors and third-party personnel shall meet the same screening requirements as employees for equivalent access levels. Screening may be performed by the contractor's employer, provided the CTO/ISSM receives written attestation of completed screening before access is granted.
4.4.2 Maintenance personnel who require unescorted access to Aulendur systems or facilities shall have completed screening commensurate with the data accessible from those systems (NIST SP 800-171 R3 03.07.05). Maintenance personnel who have not been screened shall be escorted at all times and their activities shall be monitored.
4.4.3 Visitor and maintenance access shall be logged, including name, organization, purpose, arrival/departure times, and escort (if applicable).
4.5 Security Clearance Management¶
4.5.1 For positions requiring a security clearance (currently limited to TS/SCI-cleared personnel on staff), the CTO/ISSM shall verify clearance status through appropriate government channels before granting access to classified or sensitive programs.
4.5.2 Personnel with active security clearances shall comply with all reporting obligations under SEAD 3 (Reporting Requirements for Personnel with Access to Classified Information) and any applicable Security Executive Agent Directives.
4.5.3 Aulendur Labs does not currently hold a NISPOM facility clearance. Should classified work be pursued, personnel security requirements shall be updated per 32 CFR Part 117.
4.6 Personnel Actions for Cause¶
4.6.1 If a personnel security concern arises (e.g., adverse background information, insider threat indicator, policy violation), the CTO/ISSM shall: (a) immediately assess whether system access should be suspended, (b) notify the CEO, (c) document the concern, and (d) determine the appropriate course of action (counseling, access restriction, termination referral).
4.6.2 System access shall be suspended within 1 hour of a determination that an individual poses a security risk, pending investigation.
5. Standards & Procedures Referenced¶
The following companion documents implement this policy:
- Roles & Responsibilities Policy
- Code of Conduct & Ethics Policy
- Acceptable Use Policy
- Onboarding & Offboarding Policy (forthcoming)
- Insider Threat Program Policy (forthcoming)
- Onboarding SOP (forthcoming)
- Offboarding SOP (forthcoming)
6. Compliance & Enforcement¶
Violations of this policy may result in suspension of system access, disciplinary action up to and including termination, and referral to law enforcement where applicable. Granting system access to unscreened personnel constitutes a policy violation. Suspected violations shall be reported to the CTO/ISSM.
7. Exceptions¶
Exceptions to this policy require written approval per the Policy Exception & Waiver Policy. Exceptions to CUI or ITAR screening requirements additionally require CEO approval. Emergency access grants (e.g., critical system failure requiring immediate vendor support) shall be escorted, logged, and ratified by the CTO/ISSM within 24 hours.
8. Definitions¶
| Term | Definition |
|---|---|
| Personnel Screening | The process of verifying an individual's identity, background, and suitability before granting access to information systems or data. |
| CUI | Controlled Unclassified Information, per 32 CFR Part 2002. |
| ITAR | International Traffic in Arms Regulations (22 CFR 120-130). |
| US Person | A US citizen, lawful permanent resident, or protected individual as defined in 8 USC 1324b(a)(3). |
| SEAD 3 | Security Executive Agent Directive 3, establishing reporting requirements for cleared personnel. |
| Maintenance Personnel | Individuals who perform maintenance or repair activities on Aulendur systems, whether on-site or remote. |
| Escort | Continuous accompaniment of an unscreened individual by a screened Aulendur employee while in Aulendur facilities or accessing Aulendur systems. |
9. References¶
- NIST SP 800-171 Rev. 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- NIST SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations
- CMMC 2.0 Level 2, Cybersecurity Maturity Model Certification
- DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting
- ITAR (22 CFR 120-130), International Traffic in Arms Regulations
- SEAD 3, Reporting Requirements for Personnel with Access to Classified Information
- 32 CFR Part 117, National Industrial Security Program Operating Manual (NISPOM)
10. Control Mappings¶
| Framework | Control ID | Control Title | Coverage |
|---|---|---|---|
| NIST SP 800-171 R3 | 03.09.01 | Personnel Screening | Full |
| NIST SP 800-171 R3 | 03.07.05 | Maintenance Personnel | Full |
| CMMC 2.0 L2 | PS.L2-3.9.1 | Screen Individuals | Full |
| CMMC 2.0 L2 | MA.L2-3.7.5 | Nonlocal Maintenance | Partial — technical controls in AUL-POL-32 |
| NIST SP 800-53 R5 | PS-3 | Personnel Screening | Full |
| NIST SP 800-53 R5 | PS-6 | Access Agreements | Full |
| NIST SP 800-53 R5 | PS-7 | External Personnel Security | Full |
| NIST SP 800-53 R5 | MA-5 | Maintenance Personnel | Full |
11. Revision History¶
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | TBD-YYYY-MM-DD | J. Gershenson | Initial issue. |
© Aulendur Labs, Inc. 2026. Internal use only unless otherwise classified.