When an employee exits or transfers roles, organizations must immediately secure any systems and data that contain Controlled Unclassified Information (CUI); failure to do so risks data exfiltration, loss of contractual compliance, and serious reputational harm. This post provides a Compliance Framework–specific, step-by-step checklist and technical guidance to implement NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control PS.L2-3.9.2 in a small-business environment.
Why this control matters (risk and objectives)
The primary objective of PS.L2-3.9.2 is to ensure that users who leave or change roles lose access to CUI and that any organizational assets holding CUI are secured or reassigned. Risk from not implementing this includes unauthorized access to sensitive design files, contract data, or export-controlled information; regulatory fines; breach notifications; and termination of DoD contracts. For small businesses — where staff often wear multiple hats and shared credentials are more common — a single missed revocation is a high-risk vector.
Step-by-step operational checklist
Pre-exit steps (start as soon as transfer/termination is known)
1) Trigger the offboarding workflow from HR or the hiring manager that automatically notifies IT and Security. 2) Pull an access inventory for the user: Active Directory groups, Azure/AWS/GCP IAM roles, VPN, SaaS apps, privileged accounts, SSH keys, API keys, and any access to CUI repositories (SharePoint, S3, internal NAS). Use automated inventory tools (e.g., Azure AD sign-in logs, AWS IAM report, Okta or OneLogin export) so nothing is manual. 3) Identify ownership of CUI — list documents, repositories, encryption keys, and physical media the employee controls and plan reassignments or secure storage.
Exit-day checklist (actions to perform immediately)
1) Disable network access at exactly the configured time: disable AD account (PowerShell: Disable-ADAccount -Identity jsmith), set Azure/Okta user to blocked, and deactivate VPN accounts. 2) Revoke/rotate credentials: deactivate API keys (AWS CLI example: aws iam update-access-key --user-name jsmith --access-key-id AKIA... --status Inactive), revoke OAuth refresh tokens, and rotate any shared secrets in password vaults (1Password/LastPass/HashiCorp Vault) the user knew. 3) Collect assets: laptop, mobile devices, smart cards, badges; confirm MDM (Intune/Jamf) can remotely wipe and re-image devices. 4) Snapshot and secure evidence: take forensics-grade images only if investigation needed; otherwise re-image following NIST SP 800-88 sanitization guidance before redeployment.
Technical cleanup and verification (post-exit)
1) Remove the user from all groups and role-based access control (RBAC) bindings: verify via group membership exports and IAM policy simulation tools. 2) Revoke SSH keys and update authorized_keys on servers; rotate service account keys they could access. 3) Reassign or change ownership on cloud storage objects: transfer Google Drive/SharePoint ownership, update S3 bucket ACLs, and ensure encryption KMS grants are updated (AWS KMS: retire grants tied to the user). 4) Force global sign-out for SaaS apps and invalidate sessions (e.g., Microsoft Graph: revokeSignInSessions). 5) Update PAM (Privileged Access Management) entries — remove the user from vault accounts and rotate the vault passwords they could access.
Small-business real-world scenarios
Example A — 25-employee engineering firm: A software engineer moves to another company. The firm runs Office 365, Github, and AWS. On exit day IT disables the Azure AD account, reassigns ownership of SharePoint files to the team lead, revokes GitHub deploy keys and rotates AWS IAM keys used by the engineer’s pipelines, and reimages the laptop via Intune. Example B — 40-employee manufacturer: A production manager transfers roles; the company collects the manager’s badge and laptop, transfers physical maintenance logs containing CUI to a secured archive, revokes VPN and SCADA access, and re-keys facility door locks if the manager had unsupervised physical key access. Both examples show how modest automation (HR->IT webhook) and a short checklist eliminate gaps.
Compliance tips, best practices, and technical specifics
1) Automate: Use HR-system triggers to create a ticket in ITSM that contains the user's access inventory. 2) Use the principle of least privilege and role-based access so revocation is a group removal rather than hundreds of individual policy edits. 3) Maintain an authoritative asset and data inventory that maps CUI location to owners and required protections (encryption, DLP policies, retention). 4) Implement MDM and full-disk encryption (BitLocker, FileVault) to prevent offline data access. 5) Log and retain offboarding events and access-revocation evidence for audits — include timestamps, ticket IDs, and screenshots where appropriate. 6) For encryption keys: remove user grants from KMS or HSM and perform key rotation if there is any suspicion the employee had key material. 7) For shared accounts, transition to ephemeral credentials via a secrets manager: configure automated rotation upon offboarding so old shared passwords become unusable.
Consequences of not implementing the control
Without a formalized process, organizations face elevated risk of CUI theft, unauthorized disclosure, or accidental retention of access rights. Consequences include data breaches, contractual penalties under DFARS clauses, loss of DoD contracts, regulatory reporting obligations, and significant remediation costs (forensic investigations, legal fees, credit monitoring). Small businesses are particularly vulnerable because resource constraints often mean human error or overlooked accounts go undetected for months.
Summary and next steps
Implementing PS.L2-3.9.2 requires a documented offboarding playbook, automated HR-to-IT handoffs, an accurate access inventory, immediate technical revocation actions, secure collection or reassignment of CUI-bearing assets, and post-exit verification and logging. Start by mapping all places CUI resides, build an offboarding checklist in your ITSM, automate account disablement where possible, and schedule regular audits (quarterly) to catch orphaned access. These practical steps protect your small business from avoidable risk and place you squarely on the path to NIST SP 800-171 / CMMC 2.0 Level 2 compliance.
