1. Home
  2. FedRAMP
  3. PS-4

BRACKETOLOGY | FEDRAMP

PS-4: PERSONNEL TERMINATION

  • FedRAMP Baseline Membership PS-4:
  • LOW
  • MODERATE
  • HIGH

FedRAMP Bracketology

Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH

Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.

Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.

To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open

Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.

The organization, upon termination of individual employment:

    • a. Disables information system access within [Assignment: organization-defined time period];
    • b. Terminates/revokes any authenticators/credentials associated with the individual;
    • c. Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics];
    • d. Retrieves all security-related organizational information system-related property;
    • e. Retains access to organizational information and information systems formerly controlled by terminated individual; and
    • f. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period].

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

The organization, upon termination of individual employment:

  • a. Disables information system access within same day;
  • b. Terminates/revokes any authenticators/credentials associated with the individual;
  • c. Conducts exit interviews that include a discussion of organization-defined information security topics;
  • d. Retrieves all security-related organizational information system-related property;
  • e. Retains access to organizational information and information systems formerly controlled by terminated individual; and
  • f. Notifies [Assignment: organization-defined personnel or roles] within organization-defined time period.

The organization, upon termination of individual employment:

  • a. Disables information system access within same day;
  • b. Terminates/revokes any authenticators/credentials associated with the individual;
  • c. Conducts exit interviews that include a discussion of organization-defined information security topics;
  • d. Retrieves all security-related organizational information system-related property;
  • e. Retains access to organizational information and information systems formerly controlled by terminated individual; and
  • f. Notifies [Assignment: organization-defined personnel or roles] within organization-defined time period.

The organization, upon termination of individual employment:

  • a. Disables information system access within eight (8) hours;
  • b. Terminates/revokes any authenticators/credentials associated with the individual;
  • c. Conducts exit interviews that include a discussion of organization-defined information security topics;
  • d. Retrieves all security-related organizational information system-related property;
  • e. Retains access to organizational information and information systems formerly controlled by terminated individual; and
  • f. Notifies [Assignment: organization-defined personnel or roles] within organization-defined time period.

SUPPLEMENTAL GUIDANCE

Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified.

CONTROL ENHANCEMENTS

PS-4 (1) PERSONNEL TERMINATION | POST-EMPLOYMENT REQUIREMENTS

The organization:

    • (a) Notifies terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information; and
    • (b) Requires terminated individuals to sign an acknowledgment of post-employment requirements as part of the organizational termination process.

Supplemental Guidance:

Organizations consult with the Office of the General Counsel regarding matters of post-employment requirements on terminated individuals.

PS-4 (2) PERSONNEL TERMINATION | AUTOMATED NOTIFICATION
  • FedRAMP Baseline Membership PS-4 (2):
  • HIGH

The organization employs automated mechanisms to notify [Assignment: organization-defined personnel or roles] upon termination of an individual.

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.

There are no FedRAMP-specific requirements if this control is used for a MODERATE Impact system.

The organization employs automated mechanisms to notify access control personnel responsible for disabling access to the system upon termination of an individual.


Supplemental Guidance:

In organizations with a large number of employees, not all personnel who need to know about termination actions receive the appropriate notifications' or, if such notifications are received, they may not occur in a timely manner. Automated mechanisms can be used to send automatic alerts or notifications to specific organizational personnel or roles (e.g., management personnel, supervisors, personnel security officers, information security officers, systems administrators, or information technology administrators) when individuals are terminated. Such automatic alerts or notifications can be conveyed in a variety of ways, including, for example, telephonically, via electronic mail, via text message, or via websites.

REFERENCES:

  • NO REFERENCES