When an employee is terminated or transferred, CUI (Controlled Unclassified Information) can be unintentionally left exposed unless your organization has a clear, repeatable offboarding process that aligns with NIST SP 800‑171 Rev.2 and CMMC 2.0 Level 2 control PS.L2-3.9.2; this post provides a step-by-step, auditable approach with practical technical details and small-business examples to implement immediately.
Core objectives and risk overview
The primary objectives of the offboarding process are to (1) ensure immediate removal or adjustment of logical and physical access to systems that store or process CUI, (2) accountably recover CUI-bearing devices and media, (3) preserve evidence and logs for audits, and (4) transfer custody of CUI in a controlled way when employees change roles. The risk of not implementing these steps includes data exfiltration, lateral movement into privileged systems, contract non‑compliance, loss of trust with prime contractors or government customers, and failed audits that can lead to contract termination or fines.
Step-by-step offboarding process (high level)
Design a structured offboarding workflow with SLA windows and clear owner responsibilities (HR, IT, Security, Facilities, Contracting). At a minimum, break the workflow into: Preparation (pre-termination and role-change planning), Execution (the day of termination/transfer), and Verification & Documentation (post-action validation and evidence capture). Map each step to a compliance artifact you will retain for audits (forms, screenshots, logs, tickets).
Phase 1 — Preparation (HR + IT coordination)
Create a triggered workflow from your HRIS (Workday, BambooHR, ADP) that automatically notifies IT and Security when an employee is flagged for termination or transfer. Maintain an up-to-date inventory of systems that contain CUI (SaaS apps, file shares, endpoints, cloud accounts, paper stores). Generate a role-based access matrix so that when an employee transfers, your automation knows which roles to add/remove. Before separation, prepare a chain-of-custody form for physical assets (laptop serial, USBs, ID badges) and an export directive for any user-owned files that legitimately must remain with the employee (with explicit approval and redaction requirements).
Phase 2 — Execution (immediate actions on the effective date)
On the effective time: (A) immediately disable network and cloud access (SSO session termination, disable accounts), (B) revoke tokens/keys and rotate shared credentials they could access, (C) collect devices and any physical media following chain-of-custody, and (D) capture system logs showing the account’s last activity. Automate where possible: e.g., Active Directory/Azure AD account disablement, MDM wipe or quarantine, and IAM key deactivation. Example commands and actions: PowerShell to disable an AD account: Set-ADUser -Identity jdoe -Enabled $false; Azure CLI: az ad user update --id jdoe@company.com --account-enabled false; AWS CLI to deactivate access keys: aws iam update-access-key --user-name jdoe --access-key-id AKIA... --status Inactive. For SaaS apps behind SSO (Okta, Azure AD), revoke sessions via the IdP console or automation API to ensure OAuth tokens are no longer valid.
Phase 3 — Verification, data handling, and post-monitoring
After execution, verify each action: screenshots or logs that show account disabled, keys deactivated, MDM device record showing wipe/retire, and signed chain-of-custody for returned hardware. If the departing employee possessed CUI, perform a documented transfer of custody — a simple form should capture data types, locations (SharePoint path, S3 bucket), redaction needs, and recipient custodians. Preserve logs (SIEM, cloud audit trails) for the retention window required by contracts and compliance — these are primary artifacts for CMMC audit evidence. Continue targeted monitoring for 30–90 days (failed logins, unusual access attempts) to detect post-separation misuse.
Technical checklist and implementation specifics
Include a concise technical checklist integrated into your ticketing system (Jira, ServiceNow, Zendesk) and automated where possible: disable AD/Azure accounts; revoke OAuth and API tokens; rotate shared passwords in vaults (HashiCorp Vault, AWS Secrets Manager, CyberArk); disable VPN and MFA methods; revoke SSH keys and delete from authorized_keys on servers or rotate SSH configuration; remove device certificates; wipe or re-image returned laptops using MDM (Intune: retire/wipe, Jamf: wipe); change passwords for any shared/service accounts the user knew. For evidence, capture SIEM alerts and IDS logs, and attach them to the offboarding ticket. If legal hold is required, flag the account and do not delete — suspend only, and document the hold reason and approver.
Small-business scenario and common pitfalls
Example: a 35-person subcontractor has a software engineer with access to CUI in GitHub, S3, and an office laptop. In the first (incorrect) scenario, HR emails: “Last day Friday,” IT waits to act Monday and the engineer clones repos and leaves with code. In the correct scenario, HR triggers an automated offboarding ticket as soon as separation is scheduled; on Friday morning IT disables the SSO session, revokes GitHub and AWS tokens, collects the laptop, and an auditor finds screenshots and logs proving timely action. Common small‑business mistakes include relying on manual, email-driven offboarding, not tracking shared accounts, and failing to maintain a CUI inventory; automation and simple role matrices remove most of these risks.
Compliance tips and best practices
Keep your evidence organized: store offboarding tickets, signed chain-of-custody forms, and exported logs in a compliance repository with access controls and an immutable retention policy (WORM or S3 object lock where applicable). Conduct quarterly access reviews and at least annual separation drills to validate SLAs and automation. Use least-privilege RBAC and ephemeral credentials (short-lived AWS STS tokens, OAuth with short TTL) to reduce the blast radius of credential compromise. Finally, make the offboarding process part of employee separation policy and training — HR, IT, and managers must know the SLA for disabling access (target: immediate for terminations; within 1 business day for planned transfers, unless legal hold applies).
Summary: Implementing a step-by-step offboarding process that maps HR triggers to automated IT and security actions, documents chain-of-custody for CUI, and preserves audit evidence will help your organization meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 PS.L2-3.9.2; start with a simple checklist and automation tied to your HR system, validate with periodic drills, and retain logs and signed artifacts to demonstrate compliance.
