Develop, formalize (through the CPSC’s D-100 process), and implement processes to ensure all personnel are assigned risk designations and appropriately screened prior to being granted access to agency systems. Prior to formalizing the existing risk designation procedures, these procedures should be enhanced to include the following requirements: • Performance of periodic reviews of risk designations at least annually, • Explicit position screening criteria for information security role appointments, and • Description of how cybersecurity is integrated into human resources practices (Identity and Access Management iv).