PS.L2-3.9.2 — Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.

What this control requires

Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.

Source: CMMC L2 v2.13 PS.L2-3.9.2 / NIST SP 800-171 R2 3.9.2 (official control text).

Why this matters

When employees leave or change roles, they retain system access, physical keys, knowledge of credentials, and CUI on personal devices—creating insider threat exposure and data leakage risk. Attackers routinely exploit orphaned accounts and credentials from departed staff. This control requires systematic deprovisioning of all CUI access within hours of personnel action, plus recovery of organization property and documented exit protocols. It protects against both malicious exfiltration by disgruntled terminates and accidental exposure from former employees who still possess authentication tokens or building access months after departure.

What evidence assessors expect

Assessors typically look for: PDF, screenshot, CSV export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls