NIST 800-53 REV 5 • PERSONNEL SECURITY
PS-5 — Personnel Transfer
Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization; Initiate {{ insert: param, ps-05_odp.01 }} within {{ insert: param, ps-05_odp.02 }}; Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and Notify {{ insert: param, ps-05_odp.03 }} within {{ insert: param, ps-05_odp.04 }}.
CMMC Practice Mapping
Supplemental Guidance
Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended duration as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts.
Practitioner Notes
When employees transfer to a different role or department, their access needs to change. They should get access appropriate to their new role and lose access they no longer need. Without this, people accumulate excessive privileges over time.
Example 1: Create a transfer checklist that requires the old and new manager to review and approve access changes. The old manager confirms what access should be removed; the new manager requests what access is needed. IT implements both changes simultaneously.
Example 2: In Azure AD, use Access Packages in Identity Governance to assign access by role. When someone transfers, remove them from the old access package and add them to the new one. This automatically adjusts their group memberships, app assignments, and SharePoint permissions in one action.