PS.L2-3.9.2  

Reference: CMMC v2.13

Family: PS

Level Introduced: 2

Title: Personnel Actions

Practice:
Protect organizational systems containing CUI during and after personnel actions such as terminations and transfers.

Further Discussion:
Employee access to CUI is removed when they change jobs or leave the company. When employment or program access is terminated for any reason, the following actions may occur within the defined time frame:
• all company IT equipment (e.g., laptops, cell phones, storage devices) is returned;
• all identification, access cards, and keys are returned; and
• an exit interview is conducted to remind the employee of their obligations to not discuss CUI, even after employment.

Additionally, perform the following:
• remove access to all accounts granting access to CUI or modify access to CUI as appropriate for a new work role;
• disable or close employee accounts for departing employees; and
• limit access to physical spaces with CUI for departing employees or those who transition to a work role that does not require access to CUI.

This requirement, PS.L2-3.9.2, leverages the identification of system users required by IA.L2-3.5.1 in order to ensure that all accesses are identified and removed.

Example 1
You are in charge of IT operations. Per organizational policies, when workers leave the company, you remove them from any physical CUI access lists. If you are not their supervisor, you contact their supervisor or human resources immediately and ask them to:
• turn in the former employees’ computers for proper handling;
• inform help desk or system administrators to have the former employees’ system access revoked;
• retrieve the former employees’ identification and access cards; and
• have the former employees attend an exit interview where you or human resources remind them of their obligations to not discuss CUI [b].

Example 2
An employee transfers from one working group in your company to another. Human resources team notifies IT of the transfer date, and the employee’s new manager follows procedure by submitting a ticket to the IT help desk to provide information on the access rights the employee will require in their new role. IT implements the rights for the new position and revokes the access for the prior position on the official date of the transfer [c].

Potential Assessment Considerations
• Is information system access disabled upon employee termination or transfer [c]?
• Are authenticators/ credentials associated with the employee revoked upon termination or transfer within a certain time frame [b,c]?
• Is all company information system-related property retrieved from the terminated or transferred employee within a certain timeframe [a,c]?
• Is access to company information and information systems formerly controlled by the terminated or transferred employee retained for a certain timeframe [a,c]?
• Is the information security office and data owner of the change in authorization notified within a certain timeframe [a]?

Source: CMMC v2.13