Offboarding is one of the highest-risk moments for Controlled Unclassified Information (CUI): when employees leave or change roles, privileged access, local copies, shared secrets, and physical devices can all create exposure unless a disciplined process is in place—this post provides a practical, Compliance Framework–focused, step-by-step checklist to implement PS.L2-3.9.2 (NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2) so small and medium organizations can reliably protect CUI during terminations and transfers.
\n\nPS.L2-3.9.2 targets personnel actions to prevent unauthorized access to CUI during status changes. Failure to implement robust offboarding increases insider threat risk, enables credential reuse, and can leave unmanaged devices or accounts with lingering access to CUI. For contractors and small businesses handling CUI, non-compliance risks include losing DoD contracts, remediation costs after a data leak, reputational damage, and audit findings during assessments.
\n\n- Notify IT, HR, and the employee’s manager via a standardized workflow or ticketing system the moment termination/transfer is authorized. Capture the effective date/time and reason in the ticket for audit evidence.
- Disable interactive logins immediately: In Active Directory, disable the account and move it to a “Disabled Users” OU; in Azure AD, revoke refresh tokens and set accountEnabled = false; in Okta/Google Workspace, suspend or deactivate the user.
- Revoke all active sessions and tokens: force logouts for SSO (Okta/Azure AD), revoke OAuth tokens and API keys, and invalidate refresh tokens. For AWS, set access keys to Inactive: aws iam update-access-key --access-key-id
- Disable VPN/remote access and remove from conditional access groups so remote credentials cannot be used to access internal systems.
- Reclaim and inventory hardware and removable media (laptops, phones, USBs). Use MDM/endpoint management (Intune, JAMF) to trigger remote lock and, if policy allows, remote wipe. Verify Full Disk Encryption (BitLocker/FileVault) status before wipe and record serial numbers and device IDs.
- Collect or transfer custody of CUI: if the employee had local files or printed materials, require they return or securely transfer these to an authorized custodian and record chain-of-custody in the offboarding ticket.
- Rotate shared credentials and secrets that the employee could access (shared admin passwords, database accounts, service accounts). If you use a password manager (1Password/Bitwarden/LastPass), rotate or create new shared vault credentials and audit access logs.
- Remove the user from group memberships and role assignments across systems: IAM (AWS IAM/Google Cloud IAM), Active Directory groups, GitHub organizations, project management tools (Jira/Confluence), and CI/CD tools. Ensure service accounts that grant elevated privileges are audited—if the user had keys or tokens, rotate service account credentials.
- Search for orphaned data and backups: run DLP or endpoint search for CUI keywords, review cloud storage (SharePoint, Google Drive, S3 buckets) and unstructured storage for files owned by the departed user and reassign ownership. If you find replicas in personal email or external services, follow data removal procedures and document the remediation.
- Preserve audit evidence: export authentication logs, access logs, and ticket history related to the user (CloudTrail, Azure AD sign-in logs, SIEM events). Store these artifacts in your compliance evidence repository with timestamps and ticket references.
- Update role-based access control (RBAC) and the inventory of privileged users: perform a privileged access review to ensure no excessive permissions remain assigned because of the departed user.
- Conduct an exit interview focused on CUI responsibilities and remind the departing employee of ongoing obligations (NDA, CUI handling rules). Obtain sign-off and store the form in HR records.
- Review and improve automation: if offboarding required many manual steps, implement SCIM provisioning or automation scripts to reduce human error (e.g., auto-disable accounts, revoke cloud keys, and trigger device wipe via API).
Small businesses can implement these controls without enterprise-only tools by combining readily available services: use Azure AD or Google Workspace as the identity source with SCIM for automated deprovisioning, a lightweight MDM (Microsoft Intune, JumpCloud, or Jamf for macOS) for device control, and a password manager for rotating shared credentials. For cloud workloads, automate key and token revocation in AWS using IAM scripts or AWS Config rules; for example, set a Lambda to alert when access keys are older than X days and to automatically deactivate keys linked to disabled users. Use ticketing (Jira Service Desk, ServiceNow, or even Google Forms + Sheets with audit columns) to record timestamps and approvals so you have consistent evidence during assessments.
\n\nExample 1: A 12-person engineering firm handling CUI uses Azure AD + Intune and 1Password Teams. When an engineer resigns, HR triggers the offboarding form which creates a helpdesk ticket. IT disables the Azure AD account, revokes refresh tokens, forces Intune wipe for the company laptop, and rotates shared 1Password vault passwords. The ticket captures screenshots of disabled accounts and Intune wipe status as evidence.
Example 2: A small subcontractor uses Google Workspace and AWS. The owner deactivates the user in Google Workspace (blocking sign-in), uses IAM to deactivate access keys and removes group memberships in the AWS Console, and runs a cloud search for the user’s emails and Drive files to reassign ownership before deleting the account.
- Automate where possible: SCIM, SSO session revocation, MDM APIs, and IaC (Infrastructure as Code) scripts reduce missed steps.
- Implement Privileged Access Management (PAM) for administrative credentials so you can easily expire access after offboarding instead of hunting for shared passwords.
- Maintain an auditable offboarding record: ticket ID, timestamps for each step, screenshots/exports of logs, returned asset serial numbers, and signed HR documents—these are essential for proving compliance to assessors.
- Conduct periodic access reviews (quarterly) and tabletop offboarding exercises to test your process. Include HR, IT, security, and legal in the workflow design and updates.
Implementing PS.L2-3.9.2 is about repeatable, auditable actions: immediately stop access, reclaim and secure CUI and devices, rotate secrets, and document everything. For small businesses this means using affordable identity and device-management tools, automating the heavy-lift steps, and keeping a rigorous evidence trail so you can both reduce risk and demonstrate compliance during assessments.
", "plain_text": "Offboarding is one of the highest-risk moments for Controlled Unclassified Information (CUI): when employees leave or change roles, privileged access, local copies, shared secrets, and physical devices can all create exposure unless a disciplined process is in place—this post provides a practical, Compliance Framework–focused, step-by-step checklist to implement PS.L2-3.9.2 (NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2) so small and medium organizations can reliably protect CUI during terminations and transfers.\n\nWhy PS.L2-3.9.2 matters and the risk of non-compliance\nPS.L2-3.9.2 targets personnel actions to prevent unauthorized access to CUI during status changes. Failure to implement robust offboarding increases insider threat risk, enables credential reuse, and can leave unmanaged devices or accounts with lingering access to CUI. For contractors and small businesses handling CUI, non-compliance risks include losing DoD contracts, remediation costs after a data leak, reputational damage, and audit findings during assessments.\n\nStep-by-step offboarding checklist (timed, actionable)\n\nImmediate actions (0–24 hours)\n- Notify IT, HR, and the employee’s manager via a standardized workflow or ticketing system the moment termination/transfer is authorized. Capture the effective date/time and reason in the ticket for audit evidence.- Disable interactive logins immediately: In Active Directory, disable the account and move it to a “Disabled Users” OU; in Azure AD, revoke refresh tokens and set accountEnabled = false; in Okta/Google Workspace, suspend or deactivate the user.- Revoke all active sessions and tokens: force logouts for SSO (Okta/Azure AD), revoke OAuth tokens and API keys, and invalidate refresh tokens. For AWS, set access keys to Inactive: aws iam update-access-key --access-key-id --status Inactive.- Disable VPN/remote access and remove from conditional access groups so remote credentials cannot be used to access internal systems.\n\nShort-term actions (24–72 hours)\n- Reclaim and inventory hardware and removable media (laptops, phones, USBs). Use MDM/endpoint management (Intune, JAMF) to trigger remote lock and, if policy allows, remote wipe. Verify Full Disk Encryption (BitLocker/FileVault) status before wipe and record serial numbers and device IDs.- Collect or transfer custody of CUI: if the employee had local files or printed materials, require they return or securely transfer these to an authorized custodian and record chain-of-custody in the offboarding ticket.- Rotate shared credentials and secrets that the employee could access (shared admin passwords, database accounts, service accounts). If you use a password manager (1Password/Bitwarden/LastPass), rotate or create new shared vault credentials and audit access logs.\n\nMedium-term actions (3–7 days)\n- Remove the user from group memberships and role assignments across systems: IAM (AWS IAM/Google Cloud IAM), Active Directory groups, GitHub organizations, project management tools (Jira/Confluence), and CI/CD tools. Ensure service accounts that grant elevated privileges are audited—if the user had keys or tokens, rotate service account credentials.- Search for orphaned data and backups: run DLP or endpoint search for CUI keywords, review cloud storage (SharePoint, Google Drive, S3 buckets) and unstructured storage for files owned by the departed user and reassign ownership. If you find replicas in personal email or external services, follow data removal procedures and document the remediation.- Preserve audit evidence: export authentication logs, access logs, and ticket history related to the user (CloudTrail, Azure AD sign-in logs, SIEM events). Store these artifacts in your compliance evidence repository with timestamps and ticket references.\n\nLonger-term actions (within 30 days)\n- Update role-based access control (RBAC) and the inventory of privileged users: perform a privileged access review to ensure no excessive permissions remain assigned because of the departed user.- Conduct an exit interview focused on CUI responsibilities and remind the departing employee of ongoing obligations (NDA, CUI handling rules). Obtain sign-off and store the form in HR records.- Review and improve automation: if offboarding required many manual steps, implement SCIM provisioning or automation scripts to reduce human error (e.g., auto-disable accounts, revoke cloud keys, and trigger device wipe via API).\n\nTechnical specifics and practical tools for small businesses\nSmall businesses can implement these controls without enterprise-only tools by combining readily available services: use Azure AD or Google Workspace as the identity source with SCIM for automated deprovisioning, a lightweight MDM (Microsoft Intune, JumpCloud, or Jamf for macOS) for device control, and a password manager for rotating shared credentials. For cloud workloads, automate key and token revocation in AWS using IAM scripts or AWS Config rules; for example, set a Lambda to alert when access keys are older than X days and to automatically deactivate keys linked to disabled users. Use ticketing (Jira Service Desk, ServiceNow, or even Google Forms + Sheets with audit columns) to record timestamps and approvals so you have consistent evidence during assessments.\n\nSmall business scenarios — real-world examples\nExample 1: A 12-person engineering firm handling CUI uses Azure AD + Intune and 1Password Teams. When an engineer resigns, HR triggers the offboarding form which creates a helpdesk ticket. IT disables the Azure AD account, revokes refresh tokens, forces Intune wipe for the company laptop, and rotates shared 1Password vault passwords. The ticket captures screenshots of disabled accounts and Intune wipe status as evidence.Example 2: A small subcontractor uses Google Workspace and AWS. The owner deactivates the user in Google Workspace (blocking sign-in), uses IAM to deactivate access keys and removes group memberships in the AWS Console, and runs a cloud search for the user’s emails and Drive files to reassign ownership before deleting the account.\n\nCompliance tips and best practices\n- Automate where possible: SCIM, SSO session revocation, MDM APIs, and IaC (Infrastructure as Code) scripts reduce missed steps.- Implement Privileged Access Management (PAM) for administrative credentials so you can easily expire access after offboarding instead of hunting for shared passwords.- Maintain an auditable offboarding record: ticket ID, timestamps for each step, screenshots/exports of logs, returned asset serial numbers, and signed HR documents—these are essential for proving compliance to assessors.- Conduct periodic access reviews (quarterly) and tabletop offboarding exercises to test your process. Include HR, IT, security, and legal in the workflow design and updates.\n\nImplementing PS.L2-3.9.2 is about repeatable, auditable actions: immediately stop access, reclaim and secure CUI and devices, rotate secrets, and document everything. For small businesses this means using affordable identity and device-management tools, automating the heavy-lift steps, and keeping a rigorous evidence trail so you can both reduce risk and demonstrate compliance during assessments." }, "metadata": { "description": "Practical, step-by-step offboarding checklist to help organizations meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 PS.L2-3.9.2 requirements and protect Controlled Unclassified Information (CUI) during employee terminations and transfers.", "permalink": "/how-to-implement-nist-sp-800-171-rev2-cmmc-20-level-2-control-psl2-392-step-by-step-offboarding-checklist-to-protect-cui-during-terminations-and-transfers.json", "categories": [], "tags": [] } }