PS-02 - Position Risk Designation
Introduction
This document describes how Private Mendix Platform fulfills the PS-02 control.
| Control ID | PS-02 |
|---|---|
| Control category | PS - Personnel Security |
| Requirement baseline | FEDRAMP MODERATE |
| Responsibility and ownership | Customer - Org |
Control
The organization:
- Assigns a risk designation to all organizational positions.
- Establishes screening criteria for individuals filling those positions.
- Reviews and updates position risk designations at an organization-defined frequency.
Supplemental Guidance
Position risk designations reflect Office of Personnel Management policy and guidance. Risk designations can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements (for example, training, security clearances).
The following controls are related to this control:
- AT-3
- PL-2
- PS-3
For more information, refer to 5 C.F.R. 731.106(a).
Responsibility
Customer Responsibility
Customer is responsible for implementing this control in an appropriate manner in their organization. This includes establishing position risk designations and screening criteria for all personnel roles associated with the Mendix solution to ensure compliance with federal requirements. The customer must ensure that position risk designations are documented, reviewed at defined intervals, and enforced within their environment.
Guidance
Customer Responsibility
This control is governed by NIST SP 800-53 Rev 5, FIPS 200, and 5 C.F.R. 731.106(a), which establish personnel security requirements for federal information systems. Customers operating within a FedRAMP or DoD SRG environment must ensure that all organizational positions associated with information systems have appropriate risk designations and screening criteria that align with Office of Personnel Management policy and guidance.
To meet these requirements, the customer must carry out the following actions:
-
Establish risk designations for all positions.
Determine and assign risk designations to all organizational positions associated with the Mendix solution, including roles fulfilled by Infra Implementer, App Implementer, Infra Operator, and App Operator. These designations must reflect the sensitivity of the information and systems each position can access, consistent with OPM guidance and federal standards such as NIST SP 800-53 Rev 5.
-
Define and apply screening criteria.
Establish explicit screening criteria for individuals filling positions related to the Mendix solution, including requirements for training, security clearances, and background investigations appropriate to each position's risk designation. The customer must collaborate with Infra Implementer, App Implementer, Infra Operator, and App Operator to ensure all personnel meet these criteria before being granted access.
-
Review and update position risk designations.
Implement a documented process to review and update position risk designations at organization-defined frequencies, ensuring that changes in job responsibilities, threat landscape, or organizational policy are reflected. The Customer must direct Infra Implementer, App Implementer, Infra Operator, and App Operator to maintain ongoing compliance with personnel directives throughout the system's lifecycle