Level 5 CMMC - CMMC Practices

PS.2.128  

Reference: CMMC 1.02

Family: PS

Level Introduced: 2

Practice:
Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.

CMMC Clarification:
Make sure employees no longer have access to CUI when they change jobs or leave the company. Confirm that when an employee leaves:
• all company IT equipment (e.g., laptops, cell phones, storage devices) is returned;
• all of their identification/access cards and/or keys are returned; and
• an exit interview is conducted to remind the employee of their obligations to not discuss CUI, even after employment.
The organization will do the following:
• erase all equipment before reuse;
• remove access to all accounts granting access to CUI;
• disable or close employee accounts; and
• limit access to physical spaces with CUI.

Example
You are in charge of IT operations at your company. When someone leaves the company, you remove them from any physical CUI access lists. You contact them immediately, and ask them to:
• turn in their computers for proper handling which includes IT disabling all accounts;
• return all their identification and access cards; and
• attend an exit interview where you remind them of their obligations to not discuss CUI.

3.9.2

Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.

Discussion:
Protecting CUI during and after personnel actions may include returning system-related property and conducting exit interviews. System-related property includes hardware authentication tokens, identification cards, system administration technical manuals, keys, and building passes. Exit interviews ensure that individuals who have been terminated understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics of interest at exit interviews can include reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and non-availability of supervisors. For termination actions, timely execution is essential for individuals terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals that are being terminated prior to the individuals being notified.

This requirement applies to reassignments or transfers of individuals when the personnel action is permanent or of such extended durations as to require protection. Organizations define the CUI protections appropriate for the types of reassignments or transfers, whether permanent or extended. Protections that may be required for transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; changing system access authorizations (i.e., privileges); closing system accounts and establishing new accounts; and providing for access to official records to which individuals had access at previous work locations and in previous system accounts.

Source: NIST Special Publication 800-171 Rev. 2

PS-4

PERSONNEL TERMINATION

Description:
The organization, upon termination of individual employment:
    a. Disables information system access within [Assignment: organization-defined time period];
    b. Terminates/revokes any authenticators/credentials associated with the individual;
    c. Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics];
    d. Retrieves all security-related organizational information system-related property;
    e. Retains access to organizational information and information systems formerly controlled by terminated individual; and
    f. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period].

Supplemental Guidance:
Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified. Related controls: AC-2, IA-4, PE-2, PS-5, PS-6.

PS-5

PERSONNEL TRANSFER

Description:
The organization:
    a. Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;
    b. Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action];
    c. Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and
    d. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period].

Supplemental Guidance:
This control applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include, for example: (i) returning old and issuing new keys, identification cards, and building passes; (ii) closing information system accounts and establishing new accounts; (iii) changing information system access authorizations (i.e., privileges); and (iv) providing for access to official records to which individuals had access at previous work locations and in previous information system accounts. Related controls: AC-2, IA-4, PE-2, PS-4.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02