NIST SP 800-171
Control 3.9.2
Protect CUI During Personnel Actions
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Ensure that CUI and information systems containing CUI are protected during and after personnel actions such as terminations and transfers.
What This Means in Plain English
When employees are terminated or transferred, their access to CUI must be immediately revoked. Company property (laptops, badges, keys, tokens) must be collected, and any CUI in their possession must be returned.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- Formal offboarding checklist including immediate account disabling upon termination notification
- Return of all company equipment, badges, and access tokens on last day
- Microsoft Entra ID account disabled and licenses removed within 1 hour of termination
- VPN, remote access, and building access revoked simultaneously
- ComplianceArmor offboarding workflow ensuring all steps are completed and documented
Assessment Guidance
Assessors will review the offboarding process documentation, verify that access is revoked promptly upon termination, check that property return is tracked, and test that terminated accounts are disabled in all systems.
Common Implementation Gaps
- Delayed account disabling after termination (days or weeks)
- No formal offboarding checklist
- Company property not collected upon termination
- Access to some systems not revoked (forgotten systems)
- Transfer actions not triggering access review for new role
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | PS-4, PS-5 |
| HIPAA | 164.308(a)(3)(ii)(C) - Termination Procedures |
| PCI DSS | Req 8.1.3 - Immediately revoke access for terminated users |
Need Help Implementing 3.9.2?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment