NIST 800-171 Control 3.9.2: Personnel Termination
Personnel transitions are critical security gaps—especially when Controlled Unclassified Information (CUI) is at stake. NIST 800-171 3.9.2 requires organizations to protect systems containing CUI during and after employee terminations and transfers. Failure to enforce this control leaves sensitive data exposed to departing insiders.
What this means
This control mandates that your organization implement formal procedures to protect systems and CUI whenever personnel leave, transfer roles, or change job responsibilities. You must document and enforce access revocation, credential recovery, and system lockdown processes before or immediately upon separation. The goal is to prevent unauthorized access to CUI by former employees and ensure continuity of security controls during workforce transitions.
How to comply
- 1.Document a personnel termination and transfer procedure that specifies CUI protection requirements, including access removal timelines and approval workflows
- 2.Define roles responsible for initiating access revocation (HR, IT Security, system owners) and establish communication protocols between departments
- 3.Remove or disable user accounts, credentials, and logical access to all systems containing CUI on the employee's last day or within 24 hours
- 4.Retrieve physical security credentials, badges, tokens, and mobile devices from departing personnel before exit
- 5.Review and revoke system access across cloud platforms, VPNs, email, file servers, and databases to prevent backdoor re-entry
- 6.Document all access removal actions with timestamps and approvals to demonstrate compliance during audits
- 7.Conduct exit interviews to identify any systems, data, or credentials the employee may have accessed that weren't documented
- 8.For transfers within the organization, re-verify access rights align with the new role and revoke permissions for previous responsibilities
Evidence auditors look for
- Documented Personnel Termination & Transfer Policy approved by management, specifying CUI protection requirements and access revocation timelines
- Access removal logs showing disabled user accounts, revoked credentials, and system lockouts with timestamps and authorizer names
- IT helpdesk tickets or change management records confirming account closures across email, VPN, cloud services, and application systems
- Badge access logs and physical credential inventory sign-offs from security or facilities teams upon employee departure
- Exit interview checklists completed by HR confirming device return, credential recovery, and access revocation verification
- System access reviews showing role-based access re-validation for transferred employees with obsolete permissions removed
- Email forwarding and data transfer records documenting secure handoff of work materials to replacement personnel
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates personnel termination workflows by triggering instant access revocation checklists when HR reports a termination, logging all removal actions across your systems, and generating audit-ready evidence without manual spreadsheet tracking.
See how GRCWatch handles this control automatically
Start free trial