Controlled Unclassified Information (CUI) must be protected when personnel leave or change roles; PS.L2-3.9.2 (NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2) requires organizations to remove or adjust access in a timely and auditable way β this post gives you a practical checklist template, scripts you can adapt, and implementation tips so small businesses can meet the requirement without large overhead.
What this Control Requires (Compliance Framework perspective)
Within the Compliance Framework, PS.L2-3.9.2 focuses on access revocation or adjustment for terminated personnel and role changes to prevent unauthorized access to CUI. Practically this maps to documented processes that are consistently executed, evidence of action (logs/tickets), and automation where possible. Your checklist must cover identity, device, cloud, physical, and thirdβparty access, and must produce artifacts auditors can verify (ticket IDs, timestamps, change logs).
Checklist Structure β Practical Implementation Details
Build the checklist as a single operational artifact used by HR, IT, and security: a) Trigger fields (employee name, ID, manager, termination/role-change type, effective time); b) Access inventory (systems, apps, privileges, shared accounts, keys); c) Actions (disable account, reclaim device, rotate shared secrets, revoke keys, update group memberships); d) Evidence capture (screenshot, ticket notes, log references); e) SLA timestamps and owner. Store the checklist in your ticketing system (e.g., ServiceNow, Jira) and link to CMDB entries so each asset is unambiguously identified.
Sample Termination Checklist (adaptable template)
Use these items as line entries in your ticket or spreadsheet; mark status and capture evidence for each:
- Disable directory account (Active Directory / Azure AD / Google Workspace)
- Disable VPN and MFA (revoke tokens, YubiKey deactivation)
- Revoke cloud access (AWS IAM, Azure RBAC, GCP IAM β rotate/delete access keys and remove roles)
- Collect company devices (laptop, phone) and inspect for CUI
- Change shared passwords and service account credentials the user had access to
- Remove SSH keys and GitHub access; review commits tagged by user for sensitive code/config
- Terminate contractor and vendor access; notify third parties in SOW
- Preserve mailbox and files as legal hold if required; snapshot cloud storage containing CUI
- Log the action in HR and Security ticket; attach screenshots/log lines as evidence
Automation & Scripts β Practical examples you can adapt
Automate repetitive steps and record results. Example PowerShell to disable an on-prem AD account (run from a domain-joined admin box with RSAT):
Import-Module ActiveDirectory
# Disable AD user
$upn = "jane.doe@corporate.local"
Disable-ADAccount -Identity $upn
# Record timestamp and admin account
Write-Output "$(Get-Date -Format o) | Disabled AD account $upn by $env:USERNAME"
Azure AD (AzureAD module) disable example:
Connect-AzureAD
Set-AzureADUser -ObjectId "jane.doe@contoso.com" -AccountEnabled $false
AWS CLI example to deactivate access keys (use script to enumerate keys and set Inactive):
aws iam list-access-keys --user-name jane.doe
aws iam update-access-key --user-name jane.doe --access-key-id AKIA... --status Inactive
# log output to your ticketing system: redirect stdout to ticket or S3
Small Business Scenarios and Timelines
For a small business with limited staff, define pragmatic SLAs: immediate suspensions for involuntary terminations (within 1 hour), role-change privilege reductions within 24 hours, and full device recovery/credential rotations within 72 hours. Example scenario: a program manager with CUI access moves to a non-CUI role β immediately remove CUI project group membership, revoke access tokens, and run a quick search for CUI in their mail and OneDrive; then update HR and change file permissions. For exfiltration risk cases, escalate to incident response and preserve snapshots of endpoints and cloud logs.
Compliance Tips and Best Practices
Keep the checklist iterative and evidence-focused: 1) Map all systems that store or transit CUI and maintain a current access matrix; 2) Use RBAC and least privilege to reduce per-termination work; 3) Automate disabling with just-in-time (JIT) and identity lifecycle tools (Okta, Microsoft Entra, Google Identity); 4) Maintain immutable logs (SIEM) and attach log excerpts to closure of the termination ticket; 5) Include third-party vendors in your offboarding process with contractually required notification windows. Maintain a Playbook that maps checklist items to the Compliance Framework control language so auditors can quickly validate PS.L2-3.9.2 coverage.
Risk of Not Implementing This Requirement
Failing to timely remove or adjust access exposes CUI to insider threat, credential misuse, lateral movement, and data exfiltration. Noncompliance can lead to contract loss, civil penalties, and failed audits under NIST SP 800-171 / CMMC 2.0; operationally, unrevoked accounts are among the highest-risk attack vectors in breach post-mortems. Lack of documented evidence or inconsistent execution will make it difficult to demonstrate compliance and remediate during an assessment.
Summary: Build a single, operational checklist that ties HR triggers to IT/security actions, automate what you can with auditable scripts, enforce SLAs for terminations and role changes, and keep evidence in your ticketing system and SIEM. For small businesses, focus on RBAC, a clear asset inventory, and a simple set of scripts (AD, Azure AD, AWS CLI) to make compliance with PS.L2-3.9.2 practical and demonstrable.
