NIST 800-171 • LEVEL 2 • PERSONNEL SECURITY
3.9.2 — Personnel Termination and Transfer
When individual employment is terminated: Disable system access within {{ insert: param, A.03.09.02.ODP.01 }}, Terminate or revoke authenticators and credentials associated with the individual, and Retrieve security-related system property. When individuals are reassigned or transferred to other positions in the organization: Review and confirm the ongoing operational need for current logical and physical access authorizations to the system and facility, and Modify access authorization to correspond with any changes in operational need.
CMMC Practice Mapping
Assessment Objectives
- upon termination of individual employment, system access is disabled within {{ insert: param, A.03.09.02.ODP.01 }}.
- upon termination of individual employment, authenticators associated with the individual are terminated or revoked.
- upon termination of individual employment, credentials associated with the individual are terminated or revoked.
- upon termination of individual employment, security-related system property is retrieved.
- upon individual reassignment or transfer to other positions in the organization, access authorization is modified to correspond with any changes in operational need.
- upon individual reassignment or transfer to other positions in the organization, the ongoing operational need for current logical and physical access authorizations to the system and facility is reviewed.
- upon individual reassignment or transfer to other positions in the organization, the ongoing operational need for current logical and physical access authorizations to the system and facility is confirmed.
Practitioner Notes
When someone leaves the company or moves to a different role, you need to cut or adjust their access quickly. A former employee with active credentials is one of the most common and dangerous security gaps.
Example 1: Create a termination checklist that IT and HR execute together. Within the defined timeframe (e.g., same business day), disable the Active Directory account, revoke MFA tokens in Azure AD / Entra ID, remove the user from VPN access groups, and disable their email. In the Microsoft 365 Admin Center, go to Users > Active Users, select the departed employee, and click "Block sign-in" followed by revoking all sessions.
Example 2: For transfers within the company, review and adjust access rights using the principle of least privilege. In Active Directory, remove the user from security groups associated with their old role and add them to groups for their new role. Do not just add new permissions on top of old ones — that leads to privilege creep. Document the access review in a ticket and have the new supervisor approve the updated access rights.
Also, collect all physical items: badges, keys, laptops, mobile devices, and any removable media. Log the return of each item in your asset management system.