Requirement text: PS.2.128: Ensure that organizational systems containing CUI are protected during
and after personnel actions such as terminations and transfers.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Protecting CUI during and after personnel actions may include returning system-related
property and conducting exit interviews. System-related property includes hardware
authentication tokens, identification cards, system administration technical manuals, keys,
and building passes. Exit interviews ensure that individuals who have been terminated
understand the security constraints imposed by being former employees and that proper
accountability is achieved for system-related property. Security topics of interest at exit
interviews can include reminding terminated individuals of nondisclosure agreements and
potential limitations on future employment. Exit interviews may not be possible for some
terminated individuals, for example, in cases related to job abandonment, illnesses, and non-
availability of supervisors. For termination actions, timely execution is essential for
individuals terminated for cause. In certain situations, organizations consider disabling the
system accounts of individuals that are being terminated prior to the individuals being
notified.
This requirement applies to reassignments or transfers of individuals when the personnel
action is permanent or of such extended durations as to require protection. Organizations
define the CUI protections appropriate for the types of reassignments or transfers, whether
permanent or extended. Protections that may be required for transfers or reassignments to
other positions within organizations include returning old and issuing new keys,
identification cards, and building passes; changing system access authorizations (i.e.,
privileges); closing system accounts and establishing new accounts; and providing for access
to official records to which individuals had access at previous work locations and in previous
system accounts.
CMMC CLARIFICATION
Make sure employees no longer have access to CUI when they change jobs or leave the
company. Confirm that when an employee leaves:
• all company IT equipment (e.g., laptops, cell phones, storage devices) is returned;
• all of their identification/access cards and/or keys are returned; and
• an exit interview is conducted to remind the employee of their obligations to not
discuss CUI, even after employment.
The organization will do the following:
• erase all equipment before reuse;
• remove access to all accounts granting access to CUI;
• disable or close employee accounts; and
• limit access to physical spaces with CUI.
Example
You are in charge of IT operations at your company. When someone leaves the company,
you remove them from any physical CUI access lists. You contact them immediately, and ask
them to:
• turn in their computers for proper handling which includes IT disabling all accounts;
• return all their identification and access cards; and
• attend an exit interview where you remind them of their obligations to not discuss
CUI.
References
• NIST SP 800-171 Rev 1 3.9.2
• NIST CSF v1.1 PR.AC-1
• CERT RMM v1.2 HRM:SG4.SP2
• NIST SP 800-53 Rev 4 PS-4, PS-5