CMMC Practice PS.L2-3.9.2

Personnel Actions: Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.

Monarch ISC Guidance

Your policies should be specific regarding what we can term "friendly" or "unfriendly" terminations. Some organizations may treat them identically and walk employees out as soon as they give notice. If an employee is to remain for two weeks (or more), the organization should give consideration to restricting rights, especially for those users with higher security permissions. This is for security purposes, but also operational: you want to be sure the user's account is not tied to some specific process which will fail when the account is disabled. Regardless, the organization should ensure that all access is disabled as soon as practically possible. This will require close coordination with Human Resources for timely notification of all terminations and employee transfers. As part of your policy, set a maximum time allowance before an account should have been disabled, say 24 hours, and use that to measure the effectiveness of your policy. Inherent in this practice is the need to have an inventory of all things the user has been assigned. You can use your help desk software, or for small companies a spreadsheet, to keep track of the hardware which has been assigned to the user, along with any applications the user has been given access to. Do not forget about cloud based applications! While this practice is specific to CUI, it is best practice to follow this same processes for all terminations.

Discussion From Source

NIST SP 800-171 R2 Protecting CUI during and after personnel actions may include returning system-related property and conducting exit interviews. System-related property includes hardware authentication tokens, identification cards, system administration technical manuals, keys, and building passes. Exit interviews ensure that individuals who have been terminated understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics of interest at exit interviews can include reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and non-availability of supervisors. For termination actions, timely execution is essential for individuals terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals that are being terminated prior to the individuals being notified. This requirement applies to reassignments or transfers of individuals when the personnel action is permanent or of such extended durations as to require protection. Organizations define the CUI protections appropriate for the types of reassignments or transfers, whether permanent or extended. Protections that may be required for transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; changing system access authorizations (i.e., privileges); closing system accounts and establishing new accounts; and providing for access to official records to which individuals had access at previous work locations and in previous system accounts.

References