PS.L2-3.9.2—Personnel Actions
Level 2
800-171: 3.9.2
>Control Description
Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What is your policy for protecting systems during personnel transitions?
- •How do you ensure access is revoked during terminations and transfers?
- •What is your process for conducting exit procedures?
- •Who is responsible for coordinating access removal during personnel actions?
- •How do you verify that all access has been properly terminated?
- •What procedures apply for friendly departures versus hostile terminations?
Technical Implementation:
- •What automated workflows trigger access revocation during terminations?
- •What identity management systems deprovision accounts?
- •What tools ensure all access is removed during personnel actions?
- •What ticketing systems coordinate access removal across teams?
- •What logging verifies access removal was completed?
- •What tools remotely wipe devices during terminations?
Evidence & Documentation:
- •What personnel security policies and procedures can you provide?
- •What background check reports or clearance records can you show (sanitized)?
- •What termination checklists demonstrate proper off-boarding?
- •What access revocation documentation shows timely access removal?
- •What personnel screening documentation can you provide?
- •What evidence shows personnel actions are properly executed?
Ask AI
Configure your API key to use AI features.