CMMC Level 2 Implementation Guide July 3, 2026 · 8 min read

How to Implement CMMC Level 2 Personnel Security (PS) Requirements

Two practices. That makes PS the smallest domain in CMMC Level 2. But 3.9.2 (the termination and transfer practice) consistently generates findings because the process it requires sits at the intersection of HR, IT, and security, and organizations frequently assume someone else is handling it. This guide covers both practices, how to build a compliant process, and the evidence an assessor will expect.

Why Two Practices Can Still Create Findings

Two practices. Sounds easy. Then you discover that the employee who left eight months ago still has an active Microsoft 365 account.

The PS domain covers the human layer of your security program: who you let in (3.9.1) and what you do when they leave or change roles (3.9.2). The risks addressed are real. Insider threat incidents frequently involve personnel who either should not have been granted access in the first place, or who retained access long after they no longer needed it.

The gap assessors find most often is not that organizations are careless about hiring. Most do run background checks. The gap is in the offboarding process. Access revocation depends on HR notifying IT promptly, IT having a complete list of all systems to revoke, and someone verifying that revocation actually happened. When any of those three steps breaks down, a departed employee has live credentials. That is a 3.9.2 finding, a potential data exposure, and exactly the kind of thing that shows up in breach investigations.

Scope reminder: PS applies to personnel with access to systems containing CUI, which includes contractors and vendors with system access, not just employees. A contractor who VPNs into your network to access project files is subject to the same screening and offboarding requirements as an employee.

Practice 3.9.1: Screen Personnel Before Authorizing CUI Access

3.9.1

Screen individuals prior to authorizing access to organizational systems containing CUI

Before granting any individual access to systems within your CUI boundary, verify that they are who they say they are and that they do not present an unacceptable risk. The specific screening elements are not mandated by NIST 800-171, but the screening must be risk-commensurate and consistently applied.

What a defensible screening process includes:

Documentation requirements:

Common mistake: Running background checks as part of the hiring process but not connecting the completion of screening to the granting of system access. If an employee starts and receives CUI system access on day one but the background check results are not back until week three, that is a gap. Access to CUI systems should be conditional on screening completion, not on start date.

Practice 3.9.2: Protect CUI During Terminations and Transfers

3.9.2

Ensure CUI is protected during and after personnel actions such as terminations and transfers

When an employee leaves or changes roles, their access must be adjusted immediately. 3.9.2 is both a data protection practice and an access control practice. The CUI risk is real: a departing employee with live credentials can exfiltrate data, sabotage systems, or simply retain access they are no longer authorized to have.

Termination checklist (what a compliant offboarding process covers):

Transfer / role change process:

Common mistake: Relying on a manual notification chain where HR emails IT when someone leaves. If IT does not act on that email for three days, or the email goes to someone on vacation, the departed employee has live credentials for days. Automate the trigger where possible: HR system integration with your identity provider so that account deactivation is triggered by the HR action, not by a manual handoff.

Building the Process That Connects HR and IT

The PS domain is inherently cross-functional. The controls live in HR process (screening, offboarding checklists) and IT execution (account deactivation, access revocation). The gap is almost always in the handoff between them. A few things that close it:

Quick win: If you use Microsoft Entra ID (Azure AD), enable the lifecycle workflows feature. You can configure automatic account disabling triggered by the employee's end date in the HR system (Workday, BambooHR, etc.) via HR-to-Entra provisioning. This removes the manual handoff entirely for the most critical step: directory account deactivation.

Need the Policy Document?

Our CMMC Level 2 Personnel Security Policy template covers both PS practices in formal policy language. Includes pre-employment screening requirements by role, offboarding access revocation procedures, transfer role-change review process, and contractor coverage provisions. Editable .docx, ready to customize in under an hour.

Download the PS Policy Template →

Frequently Asked Questions

NIST SP 800-171 practice 3.9.1 requires screening individuals prior to authorizing CUI access but does not prescribe a specific check type. Common baseline: identity verification, employment history verification, and 7-year criminal background check. For privileged roles, extend to credit checks and longer history windows. Document what your screening includes so assessors can verify it is applied consistently.
Yes. Practice 3.9.1 applies to any individual authorized to access systems containing CUI, including contractors, subcontractors, and vendor personnel with system access. Your personnel security policy should address how contractors are screened, either through your own process or by requiring attestation from the contracting organization that equivalent screening was completed.
NIST SP 800-171 does not specify a time limit, but the intent of 3.9.2 is immediate revocation: on or before the employee's last day, ideally at the moment of termination notification. Best practice and common assessor expectation is same-day revocation for all system access, with documented verification. Delays of even a few days are flagged as process gaps.
Practice 3.9.2 covers both terminations and transfers. For transfers, this means adjusting access to reflect the new role: removing access to systems the employee no longer needs and adding access appropriate to the new role. Without this review, employees accumulate privileges across roles, a pattern assessors specifically look for.
For 3.9.1: personnel security policy, pre-employment screening procedure, and records confirming screening was completed before access was granted. For 3.9.2: offboarding procedure, access revocation records with timestamps for departed employees, and transfer access review records. HR system exports and Active Directory account status reports are useful supporting evidence.

More CMMC Implementation Guides

🏠Physical Protection (PE)Read → 💾Media Protection (MP)Read → 🔒Access Controls (AC)Read → 🎓Awareness & Training (AT)Read → 🚨Incident Response (IR)Read → How to Pass a CMMC AssessmentRead →
📫

Get the Free CMMC Level 2 Practice Checklist

No spam. Practical guidance on CMMC compliance and new resources when we publish them.