This post shows you how to build evidence-based offboarding documentation that satisfies the Compliance Framework requirement PS.L2-3.9.2 (NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2), including practical templates, command examples, naming conventions, and a small-business scenario you can adopt today to produce assessor-ready artifacts.
Why PS.L2-3.9.2 matters for your organization
Control PS.L2-3.9.2 focuses on demonstrating that personnel separation and offboarding actions were completed and that access to Controlled Unclassified Information (CUI) and organizational systems was removed or adjusted promptly; assessors expect verifiable, timestamped artifacts that map directly to each offboarding step. For small businesses working under DoD contracts, failure to show this proof risks audit findings, loss of contract eligibility, and increased insider-threat exposure.
What assessors expect: specific evidence artifacts
Assessors will look for a chain of evidence that links an offboarding trigger (resignation/termination/contract end) to concrete technical and administrative actions. Typical artifacts include: an HR-originated termination notice or ticket, IT offboarding task record, account-disable logs from identity providers (Azure AD/AD/Okta), CloudTrail/AWS IAM events, EDR/AV βremove accessβ events, MDM unenrollment receipts, asset-return receipts (serial numbers), and a signed acknowledgement that CUI and credentials were returned or revoked.
Technical evidence examples and collection commands
Collect technical evidence automatically where possible and export human-readable reports for assessors. Examples and sample commands: Active Directory disable events (Windows Security event ID 4725), PowerShell to find recent disable events:
# Example: find account disable events in AD security logs (PowerShell)
Get-WinEvent -FilterHashtable @{LogName='Security';Id=4725;StartTime=(Get-Date).AddDays(-30)} |
Select-Object TimeCreated, Id, @{n='TargetUser';e={$_.Properties[0].Value}}
Azure AD disable (AzureAD module):
# Disable AzureAD account Set-AzureADUser -ObjectId "jane.doe@contoso.com" -AccountEnabled $false # Export audit logs (example - Graph API or Portal recommended)
AWS evidence: CloudTrail records for DetachUserPolicy, DeleteAccessKey, RemoveUserFromGroup. Export JSON and name with timestamp: 2026-04-01_jdoe_aws_detachpolicy.json. GitHub/Bitbucket: audit log entries for key revocation and collaborator removal. Linux/macOS: /var/log/auth.log or MDM device unenroll logs. Centralize all artifacts in a secure evidence repository (S3 bucket with restricted access, SIEM, or GRC tool) and include checksums (SHA256) for integrity.
Offboarding checklist template (practical, assessor-focused)
Use this checklist template to drive actions and generate evidence. Each line is an evidence point; capture the artifact name, who performed the action, timestamp (UTC), and a link or storage path to the exported log or document.
Offboarding Checklist Template (fields to capture): - Employee Name: John Doe - Employee ID / Username: jdoe - Trigger: Resignation / Termination / Contract End (include HR ticket #) - HR Notice: HR_ticket_2026-04-01_jdoe.pdf - IT Ticket: IT_ticket_2026-04-01_disable_jdoe.html - AD Disable Event: 2026-04-01_jdoe_AD_disable.evtx (EventID 4725) β performed by: it_admin - AzureAD Audit: 2026-04-01_jdoe_azure_audit.json β action: Set-AccountEnabled:false - Cloud Accounts (AWS/GCP): 2026-04-01_jdoe_cloudtrail_detach.json - MDM Unenroll: 2026-04-01_jdoe_mdm_unenroll.pdf - Device Return: Laptop SN XYZ123 returned, Asset_Return_Form_2026-04-01_jdoe.pdf - Password Reset / Credential Rotation: SecretsManagerRotationLog_jdoe_2026-04-01.txt - Exit Interview / CUI Acknowledgement: Exit_Confirm_jdoe_signed.pdf - Evidence Repository Path: s3://evidence-bucket/offboarding/2026-04-01_jdoe/ - Evidence Hash (SHA256):</pre> Small-business scenario: step-by-step with artifacts
Scenario: a remote developer (contractor) notifies their manager of contract end. Practical steps for a small business with minimal staff: 1) HR files termination ticket (store PDF); 2) IT raises an offboarding ticket in the helpdesk and checks AD/Azure/Okta accounts; 3) IT disables accounts and records the event IDs and timestamps; 4) Security rotates shared secrets and revokes personal API keys; 5) MDM unenrolls the device and logs device wipe; 6) Manager conducts exit interview to confirm all CUI has been returned/deleted and signs the exit form. Evidence package: HR_ticket.pdf, IT_ticket.html, AD_disable.evtx, cloudtrail.json, mdm_unenroll.pdf, asset_return.pdf, exit_ack.pdf, all stored under a single evidence folder with a manifest.csv enumerating files, timestamps, and SHA256 hashes.
Implementation notes, tips and best practices
Operationalize offboarding in the Compliance Framework by assigning RACI owners (HR = trigger owner, IT = access revocation, Security = evidence collection and storage). Automate where possible: tie HR system events to a workflow that creates an immutable evidence container (e.g., auto-generate an S3 evidence folder with write-once settings, or push artifacts into a GRC tool). Use consistent naming conventions (YYYYMMDD_username_action.source) and include UTC timestamps. Retain evidence per contractual or policy retention periods (commonly 1β3 years for CUI, but follow your contract); log integrity via checksums and store audit trails in a SIEM for quick export during assessments.
Risks of inadequate offboarding and non-compliance
Not implementing evidence-based offboarding increases the risk of unauthorized access to CUI, data exfiltration, persistent backdoors, failed audits, and contract penalties. For small businesses, a single missed access revocation (stale AWS keys, an active GitHub PAT, or an unreclaimed laptop) can result in a supply-chain incident that jeopardizes DoD work. Assessors will flag missing or unverifiable evidence as a deficiency against PS.L2-3.9.2, potentially triggering corrective action plans and loss of contracting privileges.
Summary: Build an assessor-ready offboarding program by codifying a checklist that maps HR triggers to technical actions, automating log capture and artifact export, applying consistent naming and hashing, and centralizing evidence with retention and access controls. Use the provided templates and command examples to produce demonstrable artifacts for NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 PS.L2-3.9.2 assessments, and treat offboarding as a coordinated HR+IT+Security process to minimize risk and pass audits.
