Revoking access and recovering assets immediately after an employee termination or role transfer is a core requirement of NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 (PS.L2-3.9.2); this post gives a practical, small-business oriented checklist and technical examples so you can implement, test, and document an auditable offboarding process that protects Controlled Unclassified Information (CUI) and reduces insider risk.
What PS.L2-3.9.2 requires and key objectives
The control requires that organizations promptly revoke access and recover organizational assets when users are terminated or transferred. Key objectives are: (1) remove logical access to networks, cloud providers, code repositories, and VPNs; (2) recover physical assets such as laptops, phones, and ID badges; and (3) rotate or revoke shared credentials or keys that the user had access to. For Compliance Framework implementation, map your HR events to automated IT/Security workflows and define maximum time-to-revoke (commonly within 1 hour for high-risk accounts, within 24 hours otherwise) and evidence retention for assessment.
Practical implementation checklist
Step 1 β Trigger, roles, and automation
Define a single authoritative trigger: HR must initiate an offboarding event in your HRIS (e.g., BambooHR, ADP) that automatically opens a ticket in ITSM (e.g., ServiceNow, Jira) and notifies Security. Implement a webhook or integration so that a "termination" or "transfer" event includes username, employee ID, role, last day, and required asset list. Assign clear roles: HR owner, IT offboarding executor, Security reviewer, and manager sign-off for asset receipt. Document SLA: immediate suspension for terminations (within 1 hour) and scheduled transfers/deprovisioning on the effective transfer date.
Step 2 β Revoke logical access (technical actions)
Execute a prioritized list: disable accounts before deleting to preserve logs; disable AD accounts (PowerShell example: Disable-ADAccount -Identity "jdoe"); revoke Azure AD refresh tokens (Revoke-AzureADUserAllRefreshToken -ObjectId <userId>); deactivate Okta/IdP accounts via API; remove SSO group memberships; deactivate GitHub/GitLab accounts and invalidate personal access tokens. For cloud providers, rotate or deactivate IAM keys: AWS example to inactivate an access key: aws iam update-access-key --user-name jdoe --access-key-id AKIA... --status Inactive. For VPN and SSH, remove public keys from servers' authorized_keys, delete SSH certs from CA logs, and revoke any issued certificates. Disable MFA devices in your IdP only after ensuring account is disabled so MFA tokens cannot be used elsewhere.
Step 3 β Recover physical devices and contain endpoints
Use your asset inventory (with serial numbers and asset tags) to determine devices to recover; if the device is remote, use MDM/EMM (Intune/Google Endpoint/Jamf) to retire or remotely wipe the device. If device is on network, instruct EDR/XDR to isolate the host (CrowdStrike/Defender for Endpoint: isolate/quarantine) to block network exfiltration until you can recover the device. For encrypted endpoints, ensure BitLocker/FileVault keys are escrowed: retrieve BitLocker recovery key via manage-bde -protectors -get C: before wiping or reassigning; for macOS, verify escrowed recovery key in your MDM. Log chain-of-custody when a device is returned β include who collected it, time/date, and physical condition.
Rotate shared secrets, repositories, and service accounts
Inventory any shared credentials, vault entries, CI/CD tokens, or SSH deploy keys the user had access to and rotate them. Practical steps: remove the user from Password Manager shared folders (LastPass/1Password/Bitwarden), rotate secrets in HashiCorp Vault or AWS Secrets Manager, revoke GitHub deploy keys and regenerate CI tokens, and update any automation that used the user's credentials. Document the change with ticket IDs and update configuration management records. For service accounts, change secrets and verify dependent services before disabling to avoid outages.
Small-business example scenario
Example: A 25-person defense contractor has a developer terminated today who had access to Azure DevOps, AWS, and a company laptop. HR files termination via BambooHR, which triggers a Jira ticket to IT. Within 30 minutes IT disables the user's Azure AD and Okta accounts, revokes Azure refresh tokens and AWS access keys (aws iam list-access-keys then aws iam update-access-key to Inactive), removes the user from all SSO groups, deactivates GitHub access, and rotates a CI/CD token exposed in a shared vault. The laptop is isolated in CrowdStrike, a BitLocker recovery key is retrieved, then IT arranges express pickup logged in the asset inventory. Security runs an initial audit of access logs for anomalous file transfers and documents findings for the assessment evidence package.
Risks of non-implementation and compliance tips
Failing to promptly revoke access and recover assets risks CUI exfiltration, credential misuse, and lateral movement by disgruntled insiders or opportunistic attackers β outcomes that can lead to contract loss, remediation costs, and failed CMMC/NIST assessments. Compliance tips: (1) test your offboarding workflow quarterly with a tabletop or live exercise; (2) centralize evidence (tickets, logs, recovery receipts) for assessors; (3) prefer automated deprovisioning via IdP/HRIS integrations to reduce human error; (4) keep a βskeletonβ emergency process for off-hours terminations; and (5) maintain logs of disable/rotate events and retention policies aligned to NIST requirements so evidence is available during audits.
In summary, implementing PS.L2-3.9.2 requires a documented, automated, and testable offboarding process that ties HR events to rapid IT and Security actions: disable accounts (donβt delete), isolate and recover endpoints, rotate shared secrets, log chain-of-custody for physical assets, and retain auditable evidence. For a small business, start by mapping HR triggers to a simple ITSM workflow, build integrations to your IdP and MDM, and put a 24/7 contingency plan in place β these practical steps will reduce risk and prepare you for a successful NIST/CMMC assessment.
