03.09.02 — (a) When individual employment is terminated: (b) When individuals are reassigned or transferred to other positions in the organization:

What this control requires

(a) When individual employment is terminated: (b) When individuals are reassigned or transferred to other positions in the organization:

Source: NIST SP 800-171 R3 §03.09.02 (official control text).

Why this matters

When employees leave or change roles, they retain knowledge of systems, credentials, and access that can become security vulnerabilities if not promptly revoked. Terminated employees may harbor resentment; transferred employees may retain unnecessary privileges. This control ensures that physical and digital access is systematically removed or adjusted to match current job responsibilities, preventing unauthorized access to CUI through orphaned accounts, unreturned tokens, or excessive permissions. The window between termination/transfer and access revocation is a critical threat period where insider threats materialize. Organizations must execute coordinated, immediate actions across physical security, IT systems, and administrative records to close this gap.

What evidence assessors expect

Assessors typically look for: PDF, screenshot, CSV export, signed letter. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls