PS.2.128 Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.

CMMC Practice PS.2.128: Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.

Links to Publicly Available Resources

CMMC CLARIFICATION (Ref CMMC – Appendix B)

Make sure employees no longer have access to CUI when they change jobs or leave the company. Confirm that when an employee leaves:

  • all company IT equipment (e.g., laptops, cell phones, storage devices) is returned;
  • all of their identification/access cards and/or keys are returned; and
  • an exit interview is conducted to remind the employee of their obligations to not discuss CUI, even after employment.

The organization will do the following:

  • erase all equipment before reuse;
  • remove access to all accounts granting access to CUI;
  • disable or close employee accounts; and
  • limit access to physical spaces with CUI.