NIST 800-53 REV 5 • PERSONNEL SECURITY
PS-4 — Personnel Termination
Upon termination of individual employment: Disable system access within {{ insert: param, ps-04_odp.01 }}; Terminate or revoke any authenticators and credentials associated with the individual; Conduct exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }}; Retrieve all security-related organizational system-related property; and Retain access to organizational information and systems formerly controlled by terminated individual.
CMMC Practice Mapping
Supplemental Guidance
System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals, including in cases related to the unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. The timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals who are being terminated prior to the individuals being notified.
Practitioner Notes
When someone leaves your organization — whether they resign, retire, or are terminated — you must immediately revoke their access and recover all organizational assets. Speed matters, especially for involuntary separations.
Example 1: Create a termination checklist that HR and IT execute together: disable Active Directory account within 1 hour of departure, disable M365 account, revoke VPN credentials, collect laptop and badges, change shared passwords they knew, and remove them from distribution lists and shared mailboxes.
Example 2: In Azure AD, configure Lifecycle Workflows to automatically disable accounts and revoke sessions when HR marks an employee as terminated in your HRIS. Set up an integration between your HR system and Azure AD so the moment a termination date is entered, access revocation begins automatically.