Timely removal of access to Controlled Unclassified Information (CUI) after employee terminations or role transfers is a core requirement under NIST SP 800-171 Rev.2 and CMMC 2.0 Level 2 (PS.L2-3.9.2); automating this process reduces human error, shortens exposure windows, and produces auditable evidence required by the Compliance Framework.
What this control requires and key objectives
The control's objective is simple: ensure that when a user leaves the organization or moves to a role that no longer requires access to CUI, all logical and physical access to CUI is revoked promptly and verifiably. For organizations following the Compliance Framework, that means defining a measurable Service Level Agreement (SLA) for deprovisioning (commonly "immediate" for termination and within 24 hours for transfers), implementing automated workflows that integrate HR with Identity and Access Management (IAM), and producing logs and attestation records for auditors.
Step-by-step implementation (practical for small businesses)
1) Inventory and mapping: start by inventorying all systems, SaaS apps, cloud accounts, physical badge systems, VPN and MDM controllers that contain or provide access to CUI. Create a CUI-access matrix showing which roles/groups provide access to which assets. This mapping is the foundation for automated removal—if you can’t identify where CUI lives, you can’t reliably revoke access.
2) Integrate HR (source of truth) with IAM: implement a single authoritative Joiner/Mover/Leaver (JML) feed from HR or your HRIS. For small businesses this often means using an HR product (BambooHR, Workday, Paylocity) and connecting it to your IAM (Azure AD, Okta, Google Workspace) via SCIM or API. When HR changes an employee status to "Terminated" or updates a role, that change should trigger automatic deprovisioning workflows.
3) Implement and test automated deprovisioning workflows: build concrete actions for each system in your inventory—examples: in Azure AD disable the account and revoke refresh tokens; in Okta deactivate the user and remove group memberships; for AWS, deactivate console access, revoke access keys, detach IAM policies and remove from groups; for SaaS (Slack, Google Drive, Jira) call the provider API to remove user entitlement. Example sequence for Azure AD (conceptual): set AccountEnabled=false; Revoke refresh tokens; remove group memberships; remove license. For AWS: disable access keys, remove from IAM groups, delete console password, and rotate or delete any associated API keys for services that user had access to.
Technical integration examples
Use SCIM where available for push deprovisioning (Okta, Azure AD, Google) so that user lifecycle changes propagate automatically. Where SCIM is not supported, automate via provider APIs and a central orchestration engine—simple options for small orgs include using cloud functions (Azure Logic Apps, AWS Lambda) or an automation tool (Ansible, Terraform with scripts, or a no-code workflow like Zapier/Workato for SaaS). Ensure your workflows also call MDM APIs (Microsoft Intune, Jamf) to wipe corporate devices and call physical access systems to revoke badge privileges.
Real-world small business scenario
Example: a 50-person defense subcontractor stores CUI in Azure, uses Azure AD for SSO, AWS for development, and Google Workspace for email. Implementation steps: (a) map which AD groups grant CUI access (e.g., group "CUI_Read"); (b) configure HR (BambooHR) to push changes to Azure AD via a middleware webhook to Azure Logic Apps; (c) Logic App checks if status=Terminated then: disable AD account, remove from "CUI_Read" and "CUI_Admin" groups, call Intune to retire device, call AWS Lambda to deactivate IAM keys and detach policies, and call Google Admin SDK to revoke Drive and Gmail access. Test with a dry-run user monthly and record timestamps for each action so you can show auditors that deprovisioning completed within your SLA.
Handling edge cases and privileged/service accounts
Service and privileged accounts need special handling. Don’t leave long-lived credentials or shared accounts unmanaged. Replace shared accounts with privileged access management (PAM) solutions (CyberArk, BeyondTrust, HashiCorp Vault) that provide session logging and just-in-time access. For service accounts, maintain a credential vault and implement automatic rotation on termination or role change. For shared admin accounts, require approval workflows and session recording; when a user leaves, revoke their ability to request privileged sessions immediately.
Auditing, evidence, and attestation
Compliance requires proof. Capture and retain machine-generated logs showing the deprovisioning events with timestamps (HR event -> IAM actions -> system responses). Forward these logs to a central log store or SIEM and correlate with the HR event. Maintain periodic access recertification records (quarterly or as required). For evidence in an assessment, supply the HR-to-IAM event trail, API responses from target systems confirming deactivation, and a manager attestation that the user's access was no longer required.
Compliance tips, best practices, and SLA recommendations
Keep these practical best practices in mind: (1) Define a written JML policy that states SLAs (e.g., termination = immediate; transfers = within 24 hours). (2) Use role-based access control (RBAC) and group-based entitlements—automating group membership makes removal simple. (3) Test deprovisioning workflows quarterly and run “tabletop” exercises with HR and IT. (4) Make HR changes the single trigger, and restrict manual admin deactivations to emergency use only with documented justification. (5) Keep a living inventory of systems with CUI and the integration status (SCIM/API/manual) so you know where automation gaps exist.
Risks of not implementing automated revocation
Failing to automate and reliably enforce deprovisioning increases the risk of ex-employees or transferred staff retaining access to CUI—this can lead to data leakage, intellectual property loss, contractual penalties, failed audits, and loss of DoD contracts. Manual processes are slow and error-prone; each minute of unrevoked access is an exposure window. In incidents, the lack of a clear audit trail or timely deactivation record also impedes forensic investigation and increases regulatory risk under the Compliance Framework.
In summary, meeting PS.L2-3.9.2 under NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 is achievable for small businesses by treating HR as the authoritative source of truth, mapping CUI entitlements, automating deprovisioning with SCIM/APIs or orchestration tools, handling privileged/service accounts via PAM and rotation, and maintaining auditable logs and SLAs; start with an inventory, implement JML automation, test regularly, and document everything for assessors.
