CMMC Practice PS.2.128: Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
CMMC CLARIFICATION (Ref CMMC – Appendix B)
Make sure employees no longer have access to CUI when they change jobs or leave the company. Confirm that when an employee leaves:
- all company IT equipment (e.g., laptops, cell phones, storage devices) is returned;
- all of their identification/access cards and/or keys are returned; and
- an exit interview is conducted to remind the employee of their obligations to not discuss CUI, even after employment.
The organization will do the following:
- erase all equipment before reuse;
- remove access to all accounts granting access to CUI;
- disable or close employee accounts; and
- limit access to physical spaces with CUI.