Mapped to NIST 800-171 Requirement: 3.9.2
CMMC Assessment Objective: PS.L2-3.9.2[b]
What This Control Means
Your policies and procedures must clearly document:
• What happens when someone leaves the company (voluntary or involuntary)
• What happens when someone transfers to a new role and no longer requires access to CUI
This includes both technical and administrative actions, such as:
• Revoking system access
• Recovering devices or storage media
• Updating user roles and access rights
• Logging all actions for traceability
Why It Matters
If these actions aren’t documented:
• IT and HR teams may miss critical offboarding or transition steps
• Former employees could retain access to sensitive data
• Cloud or vendor systems might be overlooked
• Assessors will flag the lack of defined processes for handling CUI-related access
Documentation ensures that offboarding and role transitions are repeatable, secure, and auditable.
How to Implement It
1. Write a Termination & Transfer Procedure Include actions such as:
• Disabling accounts
• Collecting company-owned equipment
• Revoking VPN, cloud, and email access
• Updating group memberships and permissions
2. Use a Checklist Format
• Break the process into actionable tasks for HR, IT, and security
• Include who is responsible for each action
3. Cover All Access Points
• Internal systems
• Remote platforms (e.g., SaaS, CRM, cloud storage)
• Encrypted drives or backup systems
4. Link to Related Policies
• Access Control Policy
• Asset Management Policy
• HR Exit Procedures
5. Review Regularly
• Update procedures when systems or job roles change
Evidence the Assessor Will Look For
• Termination/transfer procedure documents
• Checklists or workflow templates used during offboarding
• HR or IT policy documents referencing deprovisioning steps
• Access logs showing account disablement
• Audit trails linking actions to user separation dates
Common Gaps
• Documentation exists for new hires but not for offboarding
• No coordination between HR and IT for user transitions
• Terminated users retain access to cloud platforms or mobile apps
• Devices not returned or logged in asset tracking systems
How Cuick Trac Helps
Cuick Trac supports this requirement by:
• Providing step-by-step termination and transfer workflows
• Automating notifications to IT when a user departs or changes roles
• Logging each completed offboarding task, including device recovery and access removal
• Linking HR systems with access control platforms for real-time updates
• Centralizing all documentation for audit readiness
With Cuick Trac, user transitions are secure, well-documented, and easy to verify.
Final CTA
Every departure should trigger protection—not a vulnerability.
Schedule a Cuick Trac demo to streamline and document every step of your termination and transfer process.