comp-ps-3.9.2

Ensure CUI Protection During Personnel Actions

cmmc · framework · Gold standard

Drawn fromNIST SP 800-171 Rev. 3 · CMMC Level 2 Assessment Guide·Reviewed Apr 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runbatch-produce-substrate

1

Face 1 of 6 · WHAT

What is Ensure CUI Protection During Personnel Actions

CMMC Level 2 practice PS.L2-3.9.2, derived from NIST SP 800-171 Rev 2 security requirement 3.9.2, requires organizations to ensure that CUI and organizational systems are protected during and after personnel actions including terminations, resignations, retirements, and transfers. The practice mandates that a documented policy and process exist to terminate system access authorizations and all associated credentials — including passwords, tokens, PKI certificates, and privileged accounts — coincident with or immediately upon such personnel actions. For transfers, access rights must be adjusted to reflect the new role, removing any authorizations no longer appropriate. The practice also encompasses retrieval of organization-issued property and conduct of exit interviews or debriefs to reinforce CUI handling obligations. Implementation must close the gap between the moment a personnel action occurs and the moment access is actually revoked, minimizing the insider threat window.

Where it stops · what it isn't

—This practice does not govern the initial screening or vetting of individuals prior to granting access — that is addressed by PS.L2-3.9.1.
—This practice does not define the specific access control mechanisms or authentication protocols used to enforce revocation — those are governed by AC and IA domain practices.
—This practice does not address physical access control systems or badge deactivation as a standalone function, though physical access should be coordinated as part of the overall offboarding process.
—This practice does not cover supply chain or contractor personnel management beyond the requirement that the same termination and transfer process applies to non-employee individuals with CUI system access.
—This practice does not prescribe specific timelines mandated by law for final paychecks or HR separation activities; it focuses exclusively on the cybersecurity and CUI protection obligations tied to those events.

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

domain/personnel-security

REQUIRES

comp-ps-3.9.1

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.