>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

3.9.2Personnel Security - Basic

Basic Requirement

>Control Description

Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers

>Discussion

Protecting CUI during and after personnel actions may include returning system-related property and conducting exit interviews. System-related property includes hardware authentication tokens, identification cards, system administration technical manuals, keys, and building passes. Exit interviews ensure that individuals who have been terminated understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property.

Security topics of interest at exit interviews can include reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and non-availability of supervisors. For termination actions, timely execution is essential for individuals terminated for cause.

In certain situations, organizations consider disabling the system accounts of individuals that are being terminated prior to the individuals being notified. This requirement applies to reassignments or transfers of individuals when the personnel action is permanent or of such extended durations as to require protection. Organizations define the CUI protections appropriate for the types of reassignments or transfers, whether permanent or extended.

Protections that may be required for transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; changing system access authorizations (i.e., privileges); closing system accounts and establishing new accounts; and providing for access to official records to which individuals had access at previous work locations and in previous system accounts.

>Cross-Framework Mappings

CMMC

PS.L2-3.9.2
Compare

SCF

HRS-01.1
Compare
HRS-08
Compare
HRS-09
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern ensuring CUI is protected during personnel actions?
  • What procedures address CUI protection during transfers, terminations, etc.?
  • How do you ensure continuous CUI protection during role changes?
  • Who verifies CUI security during personnel transitions?
  • What governance prevents CUI exposure during personnel actions?

Technical Implementation:

  • What technical controls maintain CUI protection during personnel changes?
  • How do you automate access removal or modification during transitions?
  • What systems ensure data access is appropriately maintained or revoked?
  • How do you implement account disablement workflows for terminations?
  • What monitoring detects inappropriate CUI access during personnel actions?

Evidence & Documentation:

  • Can you provide procedures for personnel action CUI protection?
  • What documentation shows access adjustments during role changes?
  • Can you demonstrate timely access removal for terminations?
  • What logs track access changes during personnel transitions?
  • What audit evidence verifies CUI protection during personnel actions?

Ask AI

Configure your API key to use AI features.