Skip to main content
NetStable
Level 2 PS.L2-3.9.2

Ensure that CUI and organizational systems are protected during and after personnel actions

What It Means Why It Matters How to Implement Evidence SSP Guidance Assessment Common Mistakes

📖 What This Means

This practice requires organizations to safeguard Controlled Unclassified Information (CUI) and their systems when employees are hired, leave, or change roles. It means having processes in place to ensure that employees only access the information they need and that access is revoked promptly when they no longer need it. For example, when an employee leaves the company, their access to systems and CUI should be immediately removed to prevent unauthorized access. Similarly, during hiring, background checks and role-specific access controls should be implemented to ensure new employees can only access necessary systems. This control is crucial to prevent insider threats and accidental exposure of sensitive information.

🎯 Why It Matters

Failing to protect CUI during personnel actions can lead to significant data breaches. For instance, a terminated employee with lingering access could steal sensitive data or sabotage systems. According to the 2023 Verizon Data Breach Investigations Report, insider threats account for 20% of data breaches, often due to poor access management. The DoD emphasizes this control because compromised CUI can jeopardize national security and defense contracts. The financial and reputational damage from such breaches can be devastating, potentially costing millions in fines and lost business.

How to Implement

  1. 1. Use Identity and Access Management (IAM) tools to assign role-based access controls (RBAC) in AWS/Azure/GCP.
  2. 2. Automate access revocation upon termination using scripts or cloud-native tools like AWS Lambda or Azure Automation.
  3. 3. Integrate HR systems with cloud platforms to trigger access changes based on employment status.
  4. 4. Enable logging and monitoring for all access changes using tools like CloudTrail or Azure Monitor.
  5. 5. Conduct regular audits of user access permissions to ensure compliance.
⏱️
Estimated Effort
Implementation typically takes 2-3 days for small organizations, requiring intermediate IT skills. Ongoing maintenance requires 2-4 hours monthly.

📋 Evidence Examples

Access Revocation Log

Format: CSV/Excel
Frequency: Updated upon each termination
Contents: Employee name, termination date, access points revoked
Collection: Export from IAM tools or manual logs

Termination Checklist

Format: PDF/Word
Frequency: Updated annually or as processes change
Contents: Steps taken to revoke access, signed by HR and IT
Collection: Completed by HR/IT during termination

Access Review Report

Format: PDF/Excel
Frequency: Quarterly
Contents: List of users, access permissions, review date
Collection: Generated from IAM tools or manual reviews

Background Check Records

Format: PDF
Frequency: Upon hiring
Contents: Background check results for new hires
Collection: Provided by background check vendor

Signed Employment Agreement

Format: PDF
Frequency: Upon hiring
Contents: Employee acknowledgment of acceptable use policies
Collection: Signed by employee and stored in HR records

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For PS.L2-3.9.2 ("Ensure that CUI and organizational systems are protected during and after personnel actions"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe your personnel security program, including background check requirements, screening frequency, and procedures for protecting CUI during personnel actions (hiring, transfer, termination). Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"PS.L2-3.9.2 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to ensure that cui and organizational systems are protected during and after person.... The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"PS.L2-3.9.2 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to ensure that cui and organizational systems are protected during and after person.... Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"PS.L2-3.9.2 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

  • Identify all personnel categories with CUI access
  • Document the screening process and vendor
  • Specify termination SLAs for account disablement
  • Ensure this control covers all systems within your defined CUI boundary where ensure that cui and organizational systems are protected during and after personnel actions applies
  • Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

  • 📄 Personnel Security Policy
  • 📄 Background check summary (aggregate, not individual)
  • 📄 Termination checklists
  • 📄 HR-IT notification process documentation
  • 📄 Evidence artifacts specific to PS.L2-3.9.2
  • 📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will verify that all CUI-access personnel have been screened, test the termination process timeline (accounts disabled within 1 hour), and review sample termination checklists.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do you have a documented process for revoking access upon termination?

✅ YES → Proceed to Q2
❌ NO → GAP: Develop a termination checklist and access revocation process. Complete within 2 weeks.

Question 2: Are background checks conducted for all new hires?

✅ YES → Proceed to Q3
❌ NO → GAP: Implement a background check policy. Complete within 1 month.

Question 3: Do you conduct regular access reviews?

✅ YES → Proceed to Q4
❌ NO → GAP: Schedule quarterly access reviews. Start within 1 month.

Question 4: Are access changes logged and audited?

✅ YES → Proceed to Q5
❌ NO → GAP: Enable logging in your IAM or AD system. Complete within 2 weeks.

Question 5: Do employees sign acceptable use policies?

✅ YES → Compliance confirmed.
❌ NO → GAP: Update employment agreements to include acceptable use policies. Complete within 1 month.

⚠️ Common Mistakes (What Auditors Flag)

1. Delayed access revocation

Why this happens: Lack of coordination between HR and IT.
How to avoid: Automate access revocation and use a termination checklist.

2. Incomplete background checks

Why this happens: Limited resources or unclear policies.
How to avoid: Standardize background check procedures for all hires.

3. Missing access reviews

Why this happens: Overlooked during busy periods.
How to avoid: Schedule quarterly reviews and assign ownership.

4. Inconsistent documentation

Why this happens: Manual processes or lack of templates.
How to avoid: Use standardized templates and centralized storage.

5. Failure to log access changes

Why this happens: Logging not enabled or monitored.
How to avoid: Enable logging in IAM/AD systems and review regularly.

📚 Parent Policy

This practice is governed by the Personnel Security Policy

View PS Policy →

📚 Related Controls

PS.L2-3.9.1 - Screen individuals prior to authorizing access to organizational systems AC.L2-3.1.1 - Limit system access to authorized users AC.L2-3.1.2 - Control the flow of CUI in accordance with approved authorizations
Previous
PS.L2-3.9.1
Back to PS
Next
RA.L2-3.11.1