CMMC Practice PS.L2-3.9.2 – Personnel Actions: Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
Links to Publicly Available Resources
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. This example directive can assist organizations that are required to meet the personnel security (PS) controls as stated in NIST SP 800-53. This example EPA procedure describes how the agency meets control requirements for the NIST SP 800-53 Personnel Security control family. This article discusses what enterprises can do to reduce the growing threat of data theft by departing insiders. This document is an example of an employee termination checklist that can be adapted for your organization’s needs.
Discussion [NIST SP 800-171 R2]
Protecting CUI during and after personnel actions may include returning system-related property and conducting exit interviews. System-related property includes hardware authentication tokens, identification cards, system administration technical manuals, keys, and building passes. Exit interviews ensure that individuals who have been terminated understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics of interest at exit interviews can include reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and non-availability of supervisors. For termination actions, timely execution is essential for individuals terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals that are being terminated prior to the individuals being notified.
This requirement applies to reassignments or transfers of individuals when the personnel action is permanent or of such extended durations as to require protection. Organizations define the CUI protections appropriate for the types of reassignments or transfers, whether permanent or extended. Protections that may be required for transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; changing system access authorizations (i.e., privileges); closing system accounts and establishing new accounts; and providing for access to official records to which individuals had access at previous work locations and in previous system accounts.
Further Discussion
Employee access to CUI is removed when they change jobs or leave the company. When employment or program access is terminated for any reason, the following actions may occur within the defined time frame:
- all company IT equipment (e.g., laptops, cell phones, storage devices) is returned;
- all identification, access cards, and keys are returned; and
- an exit interview is conducted to remind the employee of their obligations to not discuss CUI, even after employment.
Additionally, perform the following:
- remove access to all accounts granting access to CUI or modify access to CUI as appropriate for a new work role;
- disable or close employee accounts for departing employees; and
- limit access to physical spaces with CUI for departing employees or those who transition to a work role that does not require access to CUI.
This practice, PS.L2-3.9.2, leverages the identification of system users required by IA.L1-3.5.1 in order to ensure that all accesses are identified and removed.