3.9.2 — Revoke on Departure

The One-Liner

If a terminated employee’s account is still active at end of day, your offboarding is broken.

What It Says

Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.

What It Actually Means

When someone leaves or changes roles, three things happen — fast:

1. Terminations. On the day of termination (voluntary or involuntary): disable all accounts (Entra ID, VPN, applications), revoke MFA tokens, wipe MDM-managed devices remotely, collect company hardware (laptop, phone, badge, keys), and remove from all CUI access groups. Exit interview reminds the individual of their ongoing CUI obligations. No “we’ll get to it next week.”

2. Transfers. When someone moves to a new role: grant the permissions needed for the new role and explicitly revoke the old ones. No permission accumulation — a person who transfers from engineering to sales doesn’t keep their engineering CUI access. Review and adjust on the day of transfer.

3. Documentation. Every personnel action is recorded: what access was revoked, when, by whom, and what devices were collected. The assessor will compare HR’s termination date against the account disable date.

The assessor’s favorite test: pick a random recent termination from your HR records and check whether the account was disabled the same day. If there’s a multi-day gap, that’s a finding.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Is there a policy/process for terminating access coincident with personnel actions?	Documented offboarding procedure with same-day SLA for account disabling
2	Are access and credentials terminated consistent with personnel actions?	Recent termination records show accounts disabled on the same day
3	Is the system protected during and after transfer actions?	Transfer records show old permissions removed and new permissions granted — no accumulation

---

What to Have Ready on Assessment Day

Documents they’ll review: Personnel security policy; offboarding procedures; records of terminated and transferred personnel; disabled account records; device collection records; exit interview records; system security plan

People they’ll talk to: Personnel with HR/personnel security responsibilities; account management personnel; system or network administrators; information security personnel

Live demos they’ll ask for: “Show me a recent termination — when was the account disabled?” “Walk me through your offboarding workflow.” “Show me a transfer — were old permissions removed?”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “Show me your offboarding process. What’s the SLA for disabling accounts?”
• “Pick a recent termination — when did HR notify IT? When was the account disabled?”
• “What happens to company devices when someone leaves?”
• “Show me a recent role transfer — were old CUI permissions removed?”
• “How do you handle involuntary terminations where the employee may be hostile?”
• “Are authenticators and credentials revoked — not just accounts disabled?”

Real-World Example

A defense contractor has an automated offboarding workflow. When HR enters a termination date in BambooHR, an automated trigger fires: the Entra ID account is disabled within 30 minutes, VPN access is revoked, the MFA authenticator is deregistered, and the MDM-managed laptop receives a remote wipe command. The employee’s manager collects the badge and any physical keys at the exit meeting. IT verifies within 4 hours that all access is revoked: Entra ID disabled, removed from all security groups, mailbox converted to shared and delegate removed, VPN certificate revoked. The offboarding ticket documents every step with timestamps. For involuntary terminations, HR coordinates with IT to disable the account simultaneously with the notification meeting. The assessor reviews five recent terminations — all show account disable timestamps within 2 hours of the HR termination date.

---

Where Companies Trip Up

Delayed revocation. HR terminates on Friday, IT disables the account on Monday. Three days of active access after termination. Automate the process — HR action triggers IT action on the same day.

Devices not collected. Former employee still has the company laptop three weeks later. If you can’t collect the device immediately, remote wipe it the same day through MDM.

Transfer permission accumulation. An employee transfers three times over five years and accumulates permissions from every role. Each transfer should be a clean slate: grant new, revoke old. Quarterly access reviews catch accumulation.

No exit interview. The departing employee isn’t reminded of their CUI obligations. While not strictly technical, the assessor may ask about exit procedures including CUI reminders.

---

How to Talk About This

To a CEO or Board

When someone leaves, their access is disabled the same day — automatically. Devices are collected or remotely wiped. When someone transfers, old permissions are revoked and new ones granted on the day of transfer. No orphaned accounts, no permission accumulation.

To an Engineering Team

Automated offboarding: BambooHR termination → Entra ID disable (30 min), VPN revoke, MFA deregister, MDM wipe. IT verification within 4 hours. Transfer: new group membership granted, old explicitly removed. Quarterly access review catches accumulation. All actions documented in offboarding ticket with timestamps.

---

Connected Requirements

Requirement	Why it matters here
3.9.1 — Screen Before Access	The onboarding counterpart — screen before access, revoke when leaving
3.1.1 — Who Gets In	Access control list must be current — departures are removed immediately
3.5.6 — Disable Dormant Accounts	Catches accounts missed by offboarding — defense in depth
3.3.2 — Trace Every Action	Audit trail showing when the account was disabled supports the evidence chain

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: PS.L2-3.9.2 | SPRS Weight: 5 points | POA&M Eligible: No