How to Meet NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - PS.L2-3.9.2

Requirement

NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - PS.L2-3.9.2 – Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.

Understanding the Requirement

This control (NIST SP 800-171 REV.2 / CMMC 2.0 Level 2) requires that your organization has both policy and technical processes to remove or adjust system access when people leave or change roles, and to protect systems and controlled unclassified information (CUI) through those personnel actions. Practically, you must document termination and transfer procedures, revoke or modify credentials promptly, recover company devices, and make sure systems remain secure during role changes so that former or reassigned employees no longer retain access to data they shouldn’t have.

Technical Implementation

• Create a documented termination and transfer workflow: Define roles, steps, and SLAs (for example: IT must disable access within 1 hour of HR notification for terminations and within 24 hours for transfers). Use a simple ticketing system or HRIS-to-IT automation so HR, managers, and IT share a single source of truth for personnel changes.
• Centralize identity and access management: Put all accounts (email, VPN, cloud apps, local admin) under a central directory or identity provider (AD, Azure AD, Google Workspace, or an IAM) so revocation is a single action. Prefer disabling accounts over deleting, and document procedures to handle federated tokens, API keys, and long-lived sessions.
• Automate deprovisioning where possible: Integrate HR events with provisioning tools (SCIM, SSO, MDM) to automatically remove group memberships, disable SSO accounts, revoke VPN and cloud access, and unenroll devices from MDM when a termination occurs. Maintain a documented exception process for accounts that require legal hold.
• Recover and sanitize assets: Maintain an up-to-date asset inventory that lists laptops, phones, tokens, and other company equipment. Require managers to collect equipment at termination and route devices to IT for immediate imaging and credential removal. For transfers, use device reconfiguration and removal of privileged credentials before reissue.
• Run regular access reviews and role updates: Schedule quarterly or semi-annual reviews of group memberships and privileged access. For transfers, require a manager-signed access change form that IT uses to add and remove permissions; document the business justification and date for audit purposes.
• Log, verify, and test: Enable audit logs for account changes, VPN sessions, and critical system access. Periodically test the termination workflow (tabletop or live drill) to confirm that accounts are disabled, credentials revoked, and CUI remains protected. Retain logs per policy to demonstrate compliance during audits.

Example in a Small or Medium Business

Acme Solutions, a 70-person SMB that handles subcontractor CUI, maintains a simple HR-to-IT workflow in their HRIS. When HR marks an employee as “terminated,” the system automatically opens a ticket that lists the employee’s devices and access. IT receives the ticket and within 30 minutes disables the employee’s Active Directory account, revokes VPN and cloud SSO tokens, and disables mobile device management (MDM) access. The employee’s manager meets IT at 3:00 PM to hand over the laptop and badge; IT receipts the device, reimages it, and returns it to inventory. For internal transfers, HR files a transfer request that triggers an access review: IT removes permissions tied to the old role and adds group memberships required by the new role only after the new manager approves. All changes are logged in the ticket and in the directory audit logs; IT runs a monthly spot-check to ensure no orphaned accounts exist. If legal holds or investigations exist, HR flags that in the HRIS so IT follows a documented exception path instead of immediate deletion. These steps ensure CUI is not exposed during and after personnel changes.

Summary

Implementing PS.L2-3.9.2 combines clear policy with practical technical controls: document HR-to-IT workflows, centralize identity management, automate deprovisioning, recover and sanitize assets, and verify actions with logging and periodic reviews. For SMBs this can be achieved with an HRIS connected to a directory service, a simple ticketing process, and clear SLAs for IT and managers—providing timely removal or adjustment of access so systems containing CUI remain protected during terminations and transfers.