This post provides a clear, actionable implementation checklist for organizations seeking to meet the NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control PS.L2-3.9.2, which requires immediate steps be taken to secure systems after an employee or contractor is terminated or transferred. The guidance below is focused on practical controls, technical commands, small-business scenarios, and compliance evidence you can implement today to reduce insider risks and protect Controlled Unclassified Information (CUI).
What "Immediate Steps" Means in Practice
Immediate means "as soon as operationally feasible" — typically within the same business day and certainly within 24 hours of notification. For compliance, your offboarding process must defined, repeatable, and auditable. Typical immediate actions are: disable user accounts (identity providers, VPN, cloud consoles), revoke sessions and tokens, remove access from SaaS apps and code repositories, collect physical assets, and begin secret/certificate rotation for any resources the person had exclusive keys to. Document timestamps and the person performing each action for audit evidence.
Technical Implementation Checklist (Identity and Access)
Identity is the highest priority. Actions and example commands you can script into your playbook: 1) Deactivate the account in your IdP (Okta/Azure AD/Google Workspace) — e.g. PowerShell for Azure AD: Set-AzureADUser -ObjectId "user@domain.com" -AccountEnabled $false. 2) Revoke active sessions and tokens — e.g. Revoke-AzureADUserAllRefreshTokens or use Google Workspace Admin Console to suspend user sessions. 3) Remove MFA device registrations and revoke refresh tokens to block persistent sessions. 4) Delete or rotate API keys and access keys: AWS example: aws iam list-access-keys --user-name jdoe; aws iam delete-access-key --user-name jdoe --access-key-id AKIA...; and detach policies: aws iam detach-user-policy --user-name jdoe --policy-arn arn:aws:iam::aws:policy/YourPolicy. 5) Remove from all groups and privileged roles (AD groups, AWS IAM groups, GitHub org/teams).
Technical Implementation Checklist (Secrets, Devices, and Repositories)
After identity, address persistent credentials and endpoints: rotate shared quotas and secrets stored in vaults (HashiCorp Vault, AWS Secrets Manager), revoke repository deploy keys, and remove SSH keys from jump hosts. Example Linux step: remove the user's public key from /home/*/.ssh/authorized_keys or use centrally managed SSH keystore to blacklist the key. For GitHub/GitLab: revoke personal access tokens and remove collaborator access; for CI/CD, rotate runner tokens and service account keys. For devices, execute a remote wipe for managed mobile devices, collect company laptops immediately, and disable enrolled devices in MDM (e.g., Intune/Microsoft Endpoint Manager: retire/wipe device).
Small-Business Scenarios and Real-World Examples
Scenario A: A 15-person contractor shop uses Google Workspace and a shared admin account for legacy billing; a senior engineer departs without their personal account disabled. Immediate steps: suspend the user, change the shared admin password, rotate billing service account keys, and audit Drive/Drive file-sharing to remove external links. Scenario B: A small MSP with AWS accounts gives engineers long-lived access keys. After a transfer, keys were not revoked and were later used to exfiltrate S3 data. Fix: enforce short-lived role assumptions (AWS STS), rotate all long-lived keys immediately when a handler changes roles, and tag resources to identify ownership for easier revocation.
Compliance Tips and Best Practices
Create an "Offboarding Runbook" that ties HR events to automation in your IdP and cloud. Ensure your runbook includes: who must be notified (IT, security, HR, facilities), which systems to act on with one-click scripts, and required evidence (screenshots/log exports) for audit. Use automation: webhooks from HR systems to trigger deprovisioning workflows in Okta/Azure and to create an incident in your ticketing system. Implement least privilege, ephemeral credentials (short-lived tokens), and centralize secrets so rotation is simple. Maintain a table of service accounts and owners to know what must be rotated when those owners depart or transfer.
Risk of Not Implementing These Steps
Failure to promptly deprovision and rotate credentials exposes you to multiple risks: unauthorized access to CUI, intellectual property loss, ransomware infection using leftover credentials, and noncompliance with contract requirements that can lead to contract termination or fines. Insider incidents often rely on simple, persistent artifacts (an old SSH key, an active OAuth token, or an unrevoked VPN account) — these are low-effort exploits for attackers or disgruntled ex-employees and are commonly observed in real incident reports.
Implementation Notes, Evidence, and Timelines
Implementation notes: require HR to submit a termination/transfer event into a centralized system that triggers a checklist. Set SLAs: account suspension within 2 hours of notification (high risk roles), full deprovisioning and secret rotation within 24 hours, device return within 7 days, and final account archive within 30 days. Capture evidence: logs showing account disablement, API call history for key deletions, screenshots of MDM device wipe, and signed asset return receipts. Keep a secure, immutable record (SIEM or compliance tool) of the offboarding actions to demonstrate compliance in audits.
Summary: To meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 PS.L2-3.9.2, implement a documented, automated offboarding process that prioritizes identity and secret revocation, device collection/wipe, and rapid rotation of any shared credentials or certificates. For small businesses, focus first on automating the IdP steps, maintaining an owner-mapped inventory of keys and service accounts, and keeping auditable evidence of each action — these practical steps drastically reduce insider risk and provide the compliance evidence auditors expect.
