PS.L2-3.9.2: Termination and Transfer of Personnel
Personnel transitions are critical security windows where CUI exposure risk spikes. CMMC Level 2 requires your organization to systematically protect controlled information during employee terminations and transfers. This control ensures no sensitive data walks out the door—whether intentionally or accidentally.
What this means
This control mandates that organizations establish and enforce procedures to safeguard systems containing Controlled Unclassified Information (CUI) throughout personnel lifecycle events. When employees are terminated or transferred, your organization must ensure information systems are protected through documented processes covering access revocation, equipment handling, and data handling procedures. The protection extends both during the transition period and after personnel departures.
How to comply
- 1.Document termination and transfer procedures that specifically address CUI-containing systems and data handling
- 2.Define access revocation timelines—revoke system access and credentials immediately or within a documented timeframe
- 3.Establish equipment inventory and return procedures for devices that may contain CUI (laptops, phones, security tokens)
- 4.Create a checklist for departing employees covering IT asset recovery, badge deactivation, and access removal across all systems
- 5.Implement monitoring to detect and prevent unauthorized CUI removal or exfiltration during the transition period
- 6.Document the process for transferring employee responsibilities and reassigning access to new personnel
- 7.Conduct exit interviews that include security acknowledgments and confirmation of data handling compliance
- 8.Retain records of all termination and transfer actions for audit and incident investigation purposes
Evidence auditors look for
- Personnel termination policy including CUI protection requirements
- Transfer procedures documenting system access reassignment protocols
- Access revocation logs showing timely removal of credentials and system permissions
- Equipment inventory and return documentation (e.g., laptop return forms, phone deactivation records)
- IT asset tracking system showing device handoff between employees
- Exit interview documentation with security sign-off
- System logs showing access removal dates correlated with termination dates
- Security training acknowledgments from departing employees
- Mailbox and file share transfer records
- VPN and remote access credential deactivation timestamps
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates termination checklists, triggers real-time access revocation across connected systems, and logs all personnel transitions as audit evidence—eliminating manual spreadsheets and missed revocation deadlines.
See how GRCWatch handles this control automatically
Start free trial