PS.L2-3.9.2

PS.L2-3.9.2: Personnel Actions

Protect CUI during personnel actions (terminations, transfers, role changes) by revoking access and securing data.

An employee leaves. You remove their badge access but forget to disable their network account. They still have access to customer data. Or they take files home. CUI protection during personnel transitions is critical. Offboarding must be deliberate. This practice follows PS.L2-3.9.1 (screening during hire) and connects to AC.L2-3.1.2 (access deprovisioning).

Family Personnel Security
Practice PS.L2-3.9.2
Difficulty Medium
Key evidence Offboarding procedure, access revocation logs, security agreements

What the assessor is actually evaluating

The assessor is checking: (1) Do you have an offboarding process that covers access removal? (2) Do you follow it? (3) Can you show recent examples of employees who left and had access revoked? The control covers terminations, transfers, and role changes. Anyone losing access to CUI needs to have their access revoked and their devices cleaned of CUI.

The key phrase: “protect CUI during personnel actions.” This means both revoking future access and recovering any data they might retain.

What a realistic SSP definition looks like

PS.L2-3.9.2 Protection of CUI During Personnel Actions

When an employee is terminated, transferred, or changes roles affecting CUI access, the following actions are taken immediately:

  1. Network access is disabled in Active Directory
  2. Access badges and physical keys are revoked
  3. Corporate devices (laptop, phone) are recovered and wiped if CUI is present
  4. Email access is disabled
  5. VPN and any external service access is removed
  6. Employee receives a security reminder regarding CUI protection

Offboarding is documented in [HR system]. IT confirms access removal in [system log]. The employee signs acknowledgment of the security reminder.

For role changes, access is adjusted to remove CUI access no longer needed and add access required for the new role.

How to present your evidence

Gather these items:
  • Offboarding or separation checklist showing CUI-related steps
  • Access revocation logs (recent examples of employees disabled in AD or systems)
  • Security awareness reminder that covers CUI protection and non-retention
  • Signed acknowledgments from departing employees
  • Device recovery or wipe documentation for high-risk roles
  • Role change examples showing access was adjusted appropriately
Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Q: "What happens when someone is terminated?" A: "We have an offboarding checklist. HR notifies IT and security. We revoke access the same day, recover any devices, and have them sign a security reminder." [Pull up checklist]

Q: “Can you show me a recent example?" A: “[Employee] left in [month]. Here’s the HR notification, the access removal logs, and the signed acknowledgment.” [Show documentation]

Q: “What if someone has a laptop with CUI?" A: “We recover the device and wipe any CUI or sensitive data. For high-risk roles, we do this before their last day.”

Q: “How about someone transferring to a different role?" A: “Same process. We remove access they no longer need and grant access for the new role. Changes are documented.”

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

Common failures

No offboarding process. When someone leaves, there's no formal process. Access might get removed eventually, but it's ad-hoc. Create a checklist and assign responsibility.
Slow access revocation. Access is revoked a week or two after termination. The departed employee still has system access. Revoke access the same day or within hours of termination.
Devices not recovered. Employees who handled CUI leave with their laptops. CUI might remain on the device. Recover devices from anyone who handled CUI or wipe them before they leave.
No documentation. You do offboarding informally. Months later, you can't prove access was revoked. Document offboarding and keep records.
You're good here. You have an offboarding checklist. When someone is terminated, HR triggers it. IT revokes access the same day. Devices are recovered and wiped. Employees sign a security reminder. You have access logs and examples showing this happens consistently. Assessors confirm the process is in place and move on.

Practical offboarding steps

Create a checklist or form that goes to IT when someone is being terminated:

  1. Disable AD account
  2. Revoke VPN access
  3. Revoke email access
  4. Revoke access to shared drives or systems
  5. Recover laptop, phone, badge, keys
  6. Wipe the device if CUI is present
  7. Employee signs security acknowledgment

Assign one person (IT manager, security, or HR) to ensure it’s done. Make a log showing dates and completion for each person.

For role changes, adjust access to remove what’s no longer needed and add what the new role requires.

If you use an MSP/MSSP

If your MSP manages access or devices, include offboarding in the service agreement. When an employee leaves, notify your MSP immediately. They should disable VPN access, remote tools, and any systems they manage. Get confirmation that access was revoked. Track this in your offboarding log.

This guide reflects CMMC Level 2 requirements as of March 2026. CMMC and NIST standards evolve. Verify current requirements with official CMMC materials and your assessor.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← PE.L2-3.10.1: Limit Physical Access All Practices PS.L2-3.9.1: Screen Individuals →