Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control
The organization, upon termination of individual employment:
a. Disables information system access within [FedRAMP Assignment: (H) eight (8) hours, (L) (M) same day];
b. Terminates/revokes any authenticators/credentials associated with the individual;
c. Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics];
d. Retrieves all security-related organizational information system-related property;
e. Retains access to organizational information and information systems formerly controlled by terminated individual; and
f. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]
NIST 800-53 (r4) Supplemental Guidance
Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified. Related controls: AC-2, IA-4, PE-2, PS-5, PS-6.
NIST 800-53 (r5) Discussion
System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals, including in cases related to the unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. The timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals who are being terminated prior to the individuals being notified.
Meets Minimum Requirement:
Demonstrate the technical capability to rapidly disable information system access within the required time frame
Demonstrate the technical capability to suspend or destroy any authenticators
Conduct exit interviews for all terminations, that remind employees of their responsibilities under Non Disclosure Agreements (NDAs) and any other responsibilities the organization deems necessary to discuss
Have a process for retrieving all security related property (e.g. laptops, hardware-based MFA, etc.)
Maintain the ability to access accounts for terminated employees for an organizationally-defined duration
Document internal and external notification of termination requirements
Best Practice:
Corporate support (e.g. HR) is permitted and even encouraged for employee terminations. Coordinate termination policy and procedure development with HR to align internal processes with compliance requirements
If working with a large HR department, pre-clear HR personnel to support in-boundary termination efforts
Use a checklist driven approach to employee termination that accounts for all steps
Maintain documentation for all assets and credentials assigned to an employee (e.g. parking passes, RFID badges, keys, USB drives, etc.)
Maintain a list of all accounts an employee might have access to (e.g. VPN, individual servers, specific applications, etc.)
Maintain centralized access control that can be terminated near instantly (e.g. revoking certificates, terminating MFA, suspending accounts in Active Directory, etc.)
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Review processes and procedures pertaining to employee termination to ensure all elements of control are satisfied
Conduct a mock firing of an employee, ensuring that this employee is completely blindsided and preferably armed, to assess organizational response
Inspect evidence of exit interviews for employee termination
Interview personnel to validate that termination processes are adhered to
Inspect account termination to validate that employee access can be rapidly disabled
CSP Implementation Tips:
AWS: Fully inherited
Azure: Fully inherited
GCP: Fully inherited
Page updated
Report abuse