This post explains how small and mid-sized organizations can implement PS.L2-3.9.2 (NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2) — immediate revocation of access on termination — with clear, practical steps, technical examples, and audit-ready documentation to protect Controlled Unclassified Information (CUI).
Understanding PS.L2-3.9.2 and the compliance objective
PS.L2-3.9.2 requires organizations to ensure that access authorizations are revoked when employment is terminated or changed so that ex-employees cannot access CUI. The compliance objective is simple: eliminate all logical and physical access linked to the person at the point of separation (or as close to that moment as operations allow) and document the action. For organizations subject to DFARS or CMMC, failure to demonstrate timely revocation is a common audit finding and a real security exposure.
Step‑by‑step deprovisioning process (practical implementation)
Step 1 — Trigger: Ensure HR has a standard termination notification channel to IT/security (email-to-ticket, webhook, or automated HRIS integration). The notification must include employee name, username(s), termination time, role, and a list of known privileged access (VPN, cloud consoles, admin accounts). For Compliance Framework implementation, define who is authorized to initiate the workflow and how evidence is captured.
Step 2 — Immediate logical access actions: As soon as the termination is confirmed, follow a prioritized checklist: (a) disable domain/logon account, (b) revoke SSO sessions and refresh tokens, (c) disable MFA tokens, (d) remove from privileged groups, (e) remove access to cloud consoles and IAM keys, and (f) revoke any federated or third‑party app access. Examples: for Active Directory run a PowerShell command to disable a user (Disable-ADAccount -Identity "jdoe") or set account enabled false in AzureAD (Set-AzureADUser -ObjectId "jdoe@domain" -AccountEnabled $false), then revoke refresh tokens (Revoke-AzureADUserAllRefreshToken -ObjectId
Step 3 — Cloud, code and service credentials: Immediately delete or rotate any personal or service access keys. For AWS: delete IAM console access (aws iam delete-login-profile --user-name jdoe), list and delete the user's access keys (aws iam list-access-keys then aws iam delete-access-key), and remove the user from groups/policies. For GitHub/GitLab, remove the user from the organization and revoke OAuth tokens; remove any SSH keys from repo settings. For shared service accounts, rotate the password or secret in the password manager and update dependent services so a former employee cannot use cached credentials.
Step 4 — Endpoint and device actions: Use endpoint management (MDM) to wipe or retire corporate devices and revoke VPN/Zero Trust client certificates. In Microsoft Intune, retire the device via the admin console to remove company data and disable enrollment. For local / BYOD devices that had corporate access, remove device trust records and revoke VPN certificates so cached clients cannot reconnect. Collect company-issued mobile devices, smartcards, and PIV credentials as part of the physical off-boarding checklist.
Documentation, evidence, and timelines
Document each action with timestamp, actor, and method (console, API, or script). Capture screenshots or logs where possible and attach to the termination ticket. For compliance, retain an offboarding audit artifact that shows when the AD account was disabled, when SSO tokens were revoked, which devices were retired, and who performed each action. Establish policy for “immediate” (recommended: within 15–60 minutes for high-risk/CUI roles) and “standard” (within 24 hours for non-privileged). Ensure log retention aligns with contractual or regulatory requirements — commonly 1–3 years or as specified in contracts.
Small business scenarios and real-world examples
Scenario A — 25-person subcontractor: a software engineer leaves unexpectedly. Workflow: HR opens termination ticket -> IT disables AD account with a single PowerShell script that disables the account, removes group memberships, and rotates any shared build server credentials. The security lead checks AWS, GitHub, and the corporate password manager, revokes personal keys, and documents actions into the ticket. Devices are collected from the employee next business day and remote wipe executed before shipping.
Scenario B — short-term contractor: the contractor’s contract ends at midnight. The company uses SSO + SCIM provisioning with Okta so deactivation in the HR system triggers Okta to deactivate the user, which automatically removes downstream SaaS entitlements (Slack, GitHub, Atlassian). The contractor had no local AD account; the company still revokes VPN certificates and rotates any shared repository secrets as a precaution.
Risk of not implementing immediate revocation
If access is not revoked promptly, ex-employees can retain access to CUI through cached credentials, VPN tokens, stale API keys, or remaining group memberships. Risks include data exfiltration, intellectual property theft, sabotage, reputational harm, and contract non-compliance (leading to audit findings, lost contracts, or penalties). Practical examples: a disgruntled employee with stale SSH keys copying source code after termination, or an account with an active API key used to spin up resources and incur financial loss.
Compliance tips and best practices
Automate where possible: integrate HRIS -> IAM/SSO via SCIM, use Just-In-Time (JIT) privileged access and session logging, apply least privilege and role-based access, and use a centralized password manager for shared secrets with automatic rotation. Maintain a formal offboarding playbook with assigned roles, a one‑click deprovisioning script for common systems, and quarterly tabletop exercises to test the process. For high-risk accounts, consider immediate credential revocation plus mandatory password and key rotations for shared assets. Keep privileged account access under Privileged Access Management (PAM) so credentials are never stored locally.
Summary: Implementing PS.L2-3.9.2 is a combination of policies, people, and tools — documented HR-to-IT workflows, automated SSO/SCIM provisioning, rapid credential revocation (AD/Azure/G-Suite/AWS/GitHub), endpoint retire/wipe, and rigorous evidence collection. For small businesses, pragmatic investments — an offboarding checklist, some automation (SCIM/SSO), and a single deprovisioning script — will materially reduce the risk to CUI and meet NIST/CMMC expectations while providing audit-ready proof.
