FedRAMP Control Explorer

Controls

Access Control

Assessment, Authorization, and Monitoring

Audit and Accountability

Awareness and Training

Configuration Management

Contingency Planning

Identification and Authentication

Incident Response

Maintenance

Media Protection

Personnel Security

Physical and Environmental Protection

Planning

Risk Assessment

Supply Chain Risk Management

System and Communications Protection

System and Information Integrity

System and Services Acquisition

PS-8 Personnel Sanctions

Control

Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and

Notify [to include the ISSO and/or similar role within the organization] within [24 hours] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

Discussion

Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions.

FedRAMP-Defined Assignment / Selection Parameters

PS-8 (b) [to include the ISSO and/or similar role within the organization] - personnel or roles to be notified when a formal employee sanctions process is initiated is/are defined;
PS-8 (b) [24 hours] - the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated is defined;