Overview:
Ensure that CUI and information systems containing CUI are protected during and after personnel actions such as terminations and transfers.
Action Items:
3.9.2[a]
Determine if: a policy and/or process for terminating system access and any credentials coincident with personnel actions is established.
3.9.2[b]
Determine if: system access and credentials are terminated consistent with personnel actions such as termination or transfer.
3.9.2[c]
Determine if: the system is protected during and after personnel transfer actions.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
1
Examine: Personnel security policy; procedures addressing personnel transfer and termination; records of personnel transfer and termination actions; list of system accounts; records of terminated or revoked authenticators and credentials; records of exit interviews; other relevant documents or records].
2
Interview: Personnel with personnel security responsibilities; personnel with account management responsibilities; system or network administrators; personnel with information security responsibilities].
3
Test: Organizational processes for personnel transfer and termination; mechanisms supporting or implementing personnel transfer and termination notifications; mechanisms for disabling system access and revoking authenticators].
Related Documents (document name and content will vary by organization):
1) Personnel security policy
2) procedures addressing personnel transfer and termination
3) records of personnel transfer and termination actions
4) list of system accounts
5) records of terminated or revoked authenticators and credentials
6) records of exit interviews
7) other relevant documents or records
Additional Guidance:
Protecting CUI during and after personnel actions may include, for example, return of systemrelated property and exit interviews. System-related property includes, for example, hardware authentication tokens, identification cards, system administration technical manuals, keys, and building passes. Exit interviews ensure that individuals who have been terminated understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and non-availability of supervisors. For termination actions, timely execution is essential for individuals terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals that are being terminated prior to the individuals being notified.
This requirement applies to reassignments or transfers of individuals when the personnel action is permanent or of such extended durations as to require protection. Organizations define the CUI protections appropriate for the types of reassignments or transfers, whether permanent or extended. Protections that may be required for transfers or reassignments to other positions within organizations include, for example: returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts.
Article ID: 179
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/nist-800-171-termination-or-change-of-responsibility-3-9-2-179.html