Access is revoked and CUI protected when people leave or transfer.
What it actually means
When someone is terminated or transfers, their access must be revoked promptly and any CUI/assets recovered. The classic failure is a departed employee whose accounts stay active for weeks. A defined offboarding process tied to HR closes this.
Pass or fail — an assessor needs a "yes" to each
- Access is disabled promptly on termination/transfer.
- Assets and credentials are recovered.
- Offboarding is a defined, HR-triggered process.
What to have ready
- Offboarding checklist/procedure
- Records of timely access removal
- HR-to-IT trigger
Where teams trip up
- Accounts left active after someone leaves
- No asset recovery on departure
- Offboarding that depends on someone remembering
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →