Personnel Termination

To meet the personnel termination requirement in NIST SP 800-53 Rev 5 PS-4, you must promptly disable a departing worker’s system access within your defined timeframe, revoke all credentials and authenticators, complete a security-focused exit discussion, and recover organization system-related property ¹. Operationalize it by tightly integrating HR offboarding with IAM deprovisioning, asset retrieval, and auditable records.

Key takeaways:

• Define and enforce a termination-to-access-disable timeframe, then prove you met it for each departure ¹.
• Offboarding is broader than SSO removal: revoke all authenticators/credentials, including non-human access paths tied to the person ¹.
• Treat exit handling as a controlled workflow with evidence: ticket trail, access logs, asset return, and exit interview record ¹.

“Personnel termination requirement” sounds like an HR checklist item until you see how quickly it turns into an incident. PS-4 in NIST SP 800-53 Rev 5 is explicit: once employment ends, the organization must (1) disable system access within an organization-defined time period, (2) terminate or revoke authenticators and credentials, (3) conduct an exit interview that includes organization-defined information security topics, and (4) retrieve security-related and organizational system-related property ¹.

For FedRAMP Moderate environments, auditors expect this to be engineered, not improvised. That means you need an offboarding trigger, a repeatable deprovisioning runbook that covers every access path (SSO, privileged access, SaaS, cloud consoles, VPN, keys, tokens), and evidence you can produce without scrambling. The hard part is less “knowing PS-4 exists” and more building a cross-functional workflow that survives real life: involuntary terminations, time zone delays, contractors, shared admin accounts, and third parties who still hold your assets.

This page gives requirement-level implementation guidance you can put into operation quickly, with concrete steps, artifacts to retain, and the exam questions that commonly derail teams.

Regulatory text

NIST SP 800-53 Rev 5 PS-4 states: “Upon termination of individual employment, disable system access within an organization-defined time period; terminate or revoke any authenticators and credentials associated with the individual; conduct exit interviews that include a discussion of organization-defined information security topics; and retrieve all security-related organizational system-related property.” ¹

What the operator must do (in plain terms):

• Pick a clock and enforce it. “Organization-defined time period” means you must set the timeframe and follow it consistently. Auditors will ask what it is and how you prove you met it ¹.
• Shut down access, not just accounts. Disabling system access includes all paths that allow the person to authenticate or act: SSO, local accounts, VPN, cloud IAM, privileged tools, API keys or tokens issued to the individual, and credentials stored in password managers where the individual had access ¹.
• Revoke authenticators and credentials. This is broader than disabling a user in one directory. It includes MFA factors, certificates, hardware tokens, and any credentials the person holds or controls ¹.
• Perform an exit discussion with security topics. The exit interview must include your defined security topics (confidentiality, data return, acceptable use reminders, post-employment obligations, reporting known issues) and be recorded as completed ¹.
• Recover organization property tied to systems/security. Retrieve laptops, badges, keys, smart cards, hardware tokens, removable media, and any other organizational system-related or security-related items ¹.

Plain-English interpretation (what “good” looks like)

A compliant PS-4 implementation behaves like a switchboard:

1. HR indicates a termination with an effective time, 2) IAM and IT automatically or procedurally cut off access within your defined timeframe, 3) security-sensitive credentials are revoked across all systems, 4) the person receives a final security briefing and acknowledges key points, and 5) all organizational property is accounted for.

Auditors do not need perfection across every SaaS tool on day one. They do expect you to identify the authoritative sources of access (SSO/IdP, PAM, cloud IAM, endpoint management) and show that offboarding consistently hits those choke points, with logs and tickets that reconcile.

Who it applies to

Entity types and contexts:

• Cloud Service Providers (CSPs) supporting FedRAMP Moderate workloads, including CSP staff and contractors who administer, develop, support, or can access the system boundary ¹.
• Federal agencies operating systems aligned to the FedRAMP Moderate baseline, including civil servants and contractors with access to agency systems or agency-managed cloud tenants ¹.

Operational scope (who counts as “individual employment”): Treat PS-4 as applying to anyone whose access is granted based on a work relationship: employees, temps, interns, and contractors with identities in your IAM stack. If a third party’s personnel access your environment through their own identity provider or shared credentials, you still need an equivalent termination workflow contractually and operationally (disable access, revoke credentials, recover assets you own).

What you actually need to do (step-by-step)

1) Define your termination standard (policy-level)

• Define the termination-to-access-disable timeframe in your access control or personnel security documentation ¹.
• Define what “disable system access” means in your environment: IdP disable, local account lock, VPN revoke, cloud role removal, PAM checkout revocation, certificate invalidation, and recovery of tokens/keys ¹.
• Define security topics required for the exit interview (examples below) ¹.
• Define what qualifies as security-related and organizational system-related property to retrieve ¹.

2) Build the offboarding trigger (HR → IAM)

• Establish HR as the authoritative source for termination events.
• Create a termination workflow entry point: HRIS event, service ticket, or case management item.
• Require key fields: individual identifier, termination type (voluntary/involuntary), effective time, manager, systems/roles, asset list, and whether the person held privileged access.

Practical note: For involuntary terminations, your workflow must support immediate execution without waiting for end-of-day admin tasks. The requirement allows you to define the time period, but you must meet it ¹.

3) Execute access disablement and credential revocation (IAM/PAM/IT)

Create a standard “deprovisioning run” that covers:

• Identity provider / directory: disable user, expire sessions if supported, remove from groups.
• MFA: revoke factors, remove device bindings, invalidate recovery codes.
• Privileged access (PAM): remove from privileged groups, rotate shared secrets the person knew, revoke standing access approvals.
• Cloud provider IAM: remove roles/policies, disable access keys, rotate any keys the person created or managed, invalidate console sessions where supported.
• VPN / remote access: revoke certificates, disable client profiles, remove from VPN groups.
• Endpoint management: quarantine or wipe devices if not returned in time, remove device compliance exceptions tied to the person.
• SaaS apps not behind SSO: disable local accounts, rotate shared admin passwords, remove API tokens issued to the person.

Control objective: Make your IdP and PAM your “kill switches.” If you cannot centrally disable a downstream system, document the manual step and record completion evidence ¹.

4) Retrieve property (IT/Facilities/Security)

• Maintain an inventory mapping: user ↔ assigned assets ↔ last known location.
• Retrieve items: laptop, phone, removable media, badge, keys, smart card, hardware token.
• For remote workers: require shipment tracking and intake logging; document exceptions and compensating actions (for example, remote wipe and credential rotation).

5) Conduct the security exit interview (HR/Security)

PS-4 requires exit interviews that include organization-defined information security topics ¹. Keep it short and consistent. Common topics:

• Confidentiality obligations and handling of sensitive data
• Return/destruction expectations for organization information
• Prohibition on retaining credentials or accessing systems after termination
• Reporting obligations for suspected incidents discovered later
• Reminders about phishing/social engineering attempts after departure

Record completion and the topics covered (checklist plus acknowledgement works well).

6) Close out with reconciliation and evidence packaging (GRC)

• Reconcile: HR termination list vs. IAM disabled list vs. asset return list.
• Sample-check privileged users and administrators more deeply.
• File evidence by termination case so you can answer “show me for these five people” without rebuilding the story.

Where Daydream fits: many teams track PS-4 evidence across HR tickets, IAM logs, MDM, and asset tools. Daydream helps you standardize the termination workflow, map required evidence to PS-4, and keep a clean audit trail that ties each departure to access disablement, credential revocation, and property recovery.

Required evidence and artifacts to retain

Keep evidence that is person-specific and time-linked:

• Approved termination/offboarding ticket or HR case record with effective time
• IAM/IdP logs showing disable time and group/role removals
• MFA revocation record (or screenshot/export)
• Cloud IAM key disablement/rotation records where relevant
• PAM removal and shared secret rotation record (if applicable)
• VPN disablement record
• Asset return checklist and intake record (serial numbers)
• Exit interview checklist including security topics and completion acknowledgement
• Exceptions and approvals (for example, delayed property return with compensating actions)

Common exam/audit questions and hangups

Expect questions like:

• “What is your organization-defined time period for disabling access after termination?” ¹
• “Show evidence for a sample of terminated personnel that access was disabled within that period.” ¹
• “How do you ensure contractors and third-party personnel are included?”
• “How do you revoke MFA and other authenticators beyond the directory account?” ¹
• “What security topics are covered in exit interviews, and where is it documented?” ¹
• “How do you retrieve hardware tokens and badges? What happens when you can’t?” ¹

Hangups auditors commonly press:

• Reliance on a single system (for example, disabling SSO) while leaving local accounts active.
• No evidence of session invalidation or token/key revocation.
• Asset recovery handled informally, with no inventory reconciliation.

Frequent implementation mistakes (and fixes)

Mistake	Why it fails PS-4	Fix
“We disable the AD account” as the whole process	PS-4 requires revoking authenticators/credentials and retrieving property, not only disabling one account 1.	Build a deprovision checklist that includes MFA, PAM, cloud keys, VPN, and assets.
Offboarding starts when the manager emails IT	Delays create gaps against your defined timeframe 1.	Make HR the trigger, with an on-call path for urgent terminations.
Shared admin passwords never rotated	The individual retains effective access.	Put rotation as a mandatory step when someone had shared-secret knowledge.
Exit interviews are “HR only” with no security content	PS-4 requires security topics in the exit interview 1.	Add a short security script and a checklist acknowledgement.
Asset recovery lacks serial numbers	You cannot prove what was returned.	Tie returns to inventory records and intake logs.

Execution plan (30/60/90-day)

No enforcement sources were provided, so this plan focuses on audit readiness and operational reliability under PS-4 ¹.

First 30 days (stabilize and define)

• Write/approve: termination disablement timeframe, exit interview security topics, and property categories ¹.
• Map access paths: IdP, PAM, VPN, cloud IAM, critical SaaS, endpoint management.
• Create a single offboarding ticket template with required fields and task checklist.
• Start collecting evidence for every termination in a consistent folder/case record.

Days 31–60 (engineer the workflow)

• Integrate HR trigger to IAM deprovisioning where feasible; otherwise formalize manual steps with owners and SLAs aligned to your defined timeframe ¹.
• Add privileged-user branch steps: shared secret rotation, cloud key review, elevated role removal.
• Standardize asset return intake and link to inventory.
• Train HR and IT on the exit interview security script and evidence capture.

Days 61–90 (prove it and harden)

• Run an internal mini-audit: pick a sample of recent terminations and verify end-to-end evidence for each PS-4 element ¹.
• Fix gaps: untracked apps, local accounts, missed MFA revocations, missing asset records.
• Implement reconciliation reporting: HR termination list vs. IAM disabled report vs. asset returns.
• Operationalize ongoing monitoring in Daydream to keep PS-4 evidence packaged and review-ready.

Frequently Asked Questions

Does PS-4 apply to contractors and third-party personnel?

If they have identities or access to your systems, treat them as in-scope for termination handling. You still need access disablement, credential revocation, and property recovery actions tied to the end of their engagement ¹.

What counts as an “authenticator” or “credential” we must revoke?

Anything that enables authentication or access: passwords, MFA factors, certificates, hardware tokens, API keys tied to the individual, and privileged credentials the person could use ¹.

We use SSO for most apps. Is disabling the IdP account enough?

Often it’s a strong control point, but PS-4 also requires revoking authenticators/credentials and collecting property, and you must address apps with local accounts or standalone tokens ¹.

What should we document as “information security topics” in the exit interview?

Define a short set of required topics and record completion. Common topics include confidentiality, data return expectations, prohibition on post-termination access, and how to report suspected incidents after departure ¹.

What if we can’t retrieve a laptop or token right away?

Document the exception, execute compensating steps (disable access, revoke credentials, remote wipe where possible, rotate shared secrets), and maintain a tracked recovery process until closed ¹.

What evidence is most persuasive in an audit?

Time-stamped access disablement logs, records of MFA/key revocation, an asset return record tied to inventory, and an exit interview checklist showing security topics covered, all linked to a termination case ¹.

Footnotes

1. NIST Special Publication 800-53 Revision 5