PS-6(3): Post-employment Requirements

PS-6(3) requires you to notify departing personnel of any legally binding post-employment obligations that protect your organization’s information (for example, confidentiality, IP protection, and restrictions on disclosure). Operationally, you need a defined offboarding step that delivers the notice, captures acknowledgment where feasible, and retains evidence that the notification occurred. (NIST SP 800-53 Rev. 5 OSCAL JSON)

Key takeaways:

• Build a standard “post-employment notice” step into every separation workflow (voluntary, involuntary, layoffs, contractors).
• Keep evidence: what notice was delivered, to whom, when, and by what method, plus any acknowledgment.
• Align content to what is “legally binding” for the person (employment agreement, NDA, IP assignment, contract clauses), not generic reminders. (NIST SP 800-53 Rev. 5)

PS-6(3): post-employment requirements requirement sits in NIST SP 800-53’s Personnel Security (PS) family and focuses on the moment when your access controls are already being revoked, but your information is still at risk. Departing staff, contractors, and other workforce members may retain knowledge, copies of data, or ongoing access paths that only become visible after they leave. The control enhancement is narrow: you must notify individuals of applicable, legally binding post-employment requirements for protecting organizational information. (NIST SP 800-53 Rev. 5 OSCAL JSON)

For a CCO, GRC lead, or compliance officer, the fastest path to operationalizing PS-6(3) is to treat it as an offboarding control with legal input and audit-ready evidence. You are not being asked to invent new legal obligations. You are being asked to consistently communicate the obligations that already apply to that individual and to prove you did so. In regulated or federal contexts (including contractor systems handling federal data), assessors will look for repeatable execution, not ad hoc emails that vary by manager. (NIST SP 800-53 Rev. 5)

This page gives you requirement-level implementation guidance: who it applies to, what to build into your workflows, what artifacts to retain, the questions auditors ask, and a practical execution plan.

Regulatory text

Control requirement (excerpt): “Notify individuals of applicable, legally binding post-employment requirements for protection of organizational information; and” (NIST SP 800-53 Rev. 5 OSCAL JSON)

What the operator must do

1. Identify which post-employment obligations are legally binding for the departing individual. Examples commonly include confidentiality commitments, non-disclosure terms, IP assignment obligations, return/destruction of materials clauses, and restrictions on sharing proprietary or controlled information. Keep your focus on “applicable” and “legally binding,” since that phrase is the compliance anchor. (NIST SP 800-53 Rev. 5 OSCAL JSON)
2. Notify the individual at separation (or earlier) in a consistent, provable way. You need a standard channel and process step that fires on every separation type. (NIST SP 800-53 Rev. 5)
3. Retain evidence that notification occurred. Your assessor will expect more than “we always do this.” Treat it like an auditable control activity. (NIST SP 800-53 Rev. 5)

Plain-English interpretation

PS-6(3) means: when someone leaves, you must explicitly tell them what they are still legally required to do (or not do) to protect your organization’s information after employment ends. That notification must be repeatable and defensible.

This is not a request to draft new legal language. It is a request to operationalize communication of existing obligations, tailored to the person’s role and agreements. A generic “please keep things confidential” reminder may help culturally, but it can miss the “applicable, legally binding” test if it does not map to the actual obligations that govern that individual. (NIST SP 800-53 Rev. 5 OSCAL JSON)

Who it applies to

Entity scope

• Federal information systems and contractor systems handling federal data that adopt or are assessed against NIST SP 800-53 Rev. 5. (NIST SP 800-53 Rev. 5)

Operational scope (who must be notified)

Apply the workflow to the full workforce population that can create, access, administer, or handle organizational information, including:

• Employees (full-time, part-time)
• Contractors/consultants (especially admins and developers)
• Temporary staff and interns
• Third-party personnel with logical access through your environment (for example, outsourced IT) when you manage their offboarding process or contract terms

Trigger events

Treat “separation” broadly:

• Voluntary resignation
• Termination for cause
• Layoffs and reductions in force
• End of contract/statement of work
• Role changes that end access to sensitive environments (optional but often operationally helpful)

What you actually need to do (step-by-step)

Step 1: Assign ownership and define the control boundary

• Control owner: Usually HR + Security + Legal. In practice, HR runs the workflow, Security provides the security-specific content, and Legal validates what is “legally binding.”
• Boundary decision: Decide whether PS-6(3) applies to all separations company-wide or only to personnel within the system boundary (for example, a FedRAMP or FISMA-scoped environment). Most teams implement it enterprise-wide because offboarding tooling is centralized and exceptions create audit friction. (NIST SP 800-53 Rev. 5)

Step 2: Build a “post-employment obligations” notice template library

Create templates that can be selected based on worker type and access profile. Keep them short and specific:

• Confidentiality and non-disclosure obligations (reference the signed agreement name/date if available)
• Protection of regulated or controlled data (without inventing new rules)
• Return of property and prohibition on retaining copies (align to your acceptable use / asset return language)
• Reporting channel if they discover they retained information by mistake

Legal should review the template language. Your compliance goal is consistent notification that maps to actual agreements and policies. (NIST SP 800-53 Rev. 5 OSCAL JSON)

Step 3: Map “applicable obligations” per person at offboarding time

Create a simple decision matrix your HR ops team can follow:

Worker type / context	What makes obligations “applicable”	How to select notice content
Employee	Employment agreement, NDA, IP assignment, policy acknowledgments	Attach or reference specific agreements on file
Contractor via MSA/SOW	Contract clauses, NDA, data handling addenda	Reference contract clause set and any NDA
Privileged admin	Same as above plus elevated access risk	Add explicit reminder about secrets, keys, and non-disclosure of system details

Your objective is not to attach every policy. Your objective is to credibly show you notified them of the obligations that actually govern them. (NIST SP 800-53 Rev. 5 OSCAL JSON)

Step 4: Embed notification into the separation workflow

Put the notification step in the same workflow as:

• Account disablement and access revocation
• Asset return
• Exit interview (if conducted)
• Final paycheck and HR closeout (where lawful)

Good operational patterns:

• HRIS-triggered task to send notice automatically on “termination date entered”
• Ticketing workflow (HR creates separation ticket; system assigns a “Send post-employment notice” subtask to HR or Legal Ops)
• For involuntary terminations, deliver notice during the termination meeting and send follow-up by email to the personal address on file (subject to your HR/legal practices)

Avoid dependence on a manager remembering to send an email. Auditors find that quickly. (NIST SP 800-53 Rev. 5)

Step 5: Capture acknowledgment where feasible (but don’t block on it)

If your legal team supports it, collect an acknowledgment (e-sign or signed separation checklist). If you cannot collect acknowledgment, still meet the requirement by retaining proof of delivery (email logs, HRIS task completion, meeting checklist). The control text focuses on notification. (NIST SP 800-53 Rev. 5 OSCAL JSON)

Step 6: Retain evidence and make it assessable

Store artifacts in a system assessors can access during an audit:

• HRIS record attachment
• Separation ticket with the notice attached and completion evidence
• Central evidence repository mapped to PS-6(3)

Daydream is useful here because you can map PS-6(3) to a single owner, a defined procedure, and recurring evidence artifacts so separation events produce consistent audit-ready evidence. (NIST SP 800-53 Rev. 5 OSCAL JSON)

Required evidence and artifacts to retain

Keep evidence that proves execution, not just design:

Design-time artifacts

• Offboarding / separation procedure showing the PS-6(3) notification step
• Approved post-employment notice templates with version control and legal review notes
• Role-based applicability matrix (even if simple)

Run-time artifacts ¹

• Copy of the notice delivered (or template version ID)
• Delivery proof: email headers/logs, HRIS task completion, ticket timestamps, or meeting checklist
• Recipient identity and separation date
• Acknowledgment if collected (e-sign record or signed checklist)

Operational governance

• Control mapping showing owner, workflow system, and evidence location (this is often what makes PS-6(3) “pass” in practice) (NIST SP 800-53 Rev. 5 OSCAL JSON)

Common exam/audit questions and hangups

Expect assessors to probe these areas:

• “Show me for a sample of terminated users how you notified them.” They want per-person evidence, not a policy statement. (NIST SP 800-53 Rev. 5)
• “How do you ensure contractors get the notice?” Many organizations offboard contractors inconsistently, especially if a third party employer is involved.
• “How do you decide what is ‘applicable’?” If you cannot explain the selection logic, the control looks ad hoc. (NIST SP 800-53 Rev. 5 OSCAL JSON)
• “What about people who don’t attend an exit interview?” You need a delivery method that does not depend on attendance.

Frequent implementation mistakes and how to avoid them

1. Relying on a general security policy acknowledgment signed at hire. PS-6(3) is about post-employment notification, not initial onboarding. Fix: add a separation-specific notice step. (NIST SP 800-53 Rev. 5 OSCAL JSON)
2. Sending a generic reminder that isn’t tied to legally binding terms. Fix: reference the agreement types or clauses that actually apply, and have Legal validate the template set. (NIST SP 800-53 Rev. 5)
3. No evidence trail. HR says “we always do it,” but nothing is retained. Fix: make the workflow system the system of record and require attachment/log capture before closing the separation ticket. (NIST SP 800-53 Rev. 5)
4. Forgetting non-employee identities. Shared accounts, contractor identities, interns, and vendors’ staff get missed. Fix: integrate IAM disablement lists with HR/third-party offboarding lists and reconcile exceptions.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this specific control enhancement, so you should treat PS-6(3) as an assessment-readiness and risk-reduction requirement rather than an enforcement-driven one.

Practically, gaps show up after incidents: a former worker discloses proprietary information, reuses code, retains data, or shares credentials. PS-6(3) does not prevent every outcome, but it strengthens your posture by making expectations explicit and creating a record that you communicated legally binding obligations. That record can matter during investigations, contractual disputes, and customer assurance reviews. (NIST SP 800-53 Rev. 5)

A practical 30/60/90-day execution plan

First 30 days (stabilize and standardize)

• Assign control owner and backups (HR Ops primary, Security and Legal as approvers). (NIST SP 800-53 Rev. 5)
• Inventory existing agreements and post-employment clauses (NDA, IP, confidentiality) used across worker types.
• Draft notice templates and route for Legal approval.
• Add a mandatory “post-employment notice sent” task to the separation checklist in your HRIS or ticketing tool, with an evidence attachment field.

By 60 days (operationalize and prove it works)

• Train HR partners and People Managers on when and how to deliver the notice (voluntary vs involuntary, employee vs contractor).
• Pilot the workflow on live separations and test evidence retrieval for an auditor-style sample.
• Build exception handling: bounced emails, no personal email on file, immediate terminations, contractor offboarding via third parties.
• Implement a monthly reconciliation between “identities disabled” and “separations completed with notice evidence.”

By 90 days (audit-ready and resilient)

• Run an internal control test: pull a sample of recent separations and confirm notification + evidence exists for each.
• Lock template versioning and retention rules (who can edit, where stored, how changes are approved).
• Map PS-6(3) to your control framework tooling and evidence repository so assessors can self-serve artifacts.
• Consider automations (HRIS → ticketing → email with logging) to reduce manual failure points. (NIST SP 800-53 Rev. 5 OSCAL JSON)

Frequently Asked Questions

Does PS-6(3) require a signed acknowledgment from the departing worker?

The control text requires notification of applicable, legally binding post-employment requirements. (NIST SP 800-53 Rev. 5 OSCAL JSON) Acknowledgment is strong evidence, but proof of delivery plus the notice content is often the operational minimum.

What counts as “legally binding” post-employment requirements?

Requirements in agreements or contract terms that the individual is bound by, such as NDAs, confidentiality clauses, IP assignment provisions, and similar obligations. (NIST SP 800-53 Rev. 5 OSCAL JSON) Have Legal validate your template language and applicability logic.

How do we handle contractors employed by a third party staffing firm?

Notify the individual if you can, and also ensure your contract path covers notification through the staffing firm when direct notification is not feasible. Keep evidence of whichever method you used and why. (NIST SP 800-53 Rev. 5)

Can we satisfy PS-6(3) by pointing to our employee handbook?

A handbook alone usually fails the “post-employment notification” expectation because it is not delivered at separation and may not be tailored to legally binding obligations. Add a separation-specific notice step that references the relevant agreements. (NIST SP 800-53 Rev. 5 OSCAL JSON)

Where should we store evidence so audits don’t become a scramble?

Store it in the system that manages separations (HRIS or ticketing) and mirror it to an evidence repository mapped to PS-6(3). Daydream can help you map the control to an owner, procedure, and recurring artifacts so evidence collection is consistent. (NIST SP 800-53 Rev. 5 OSCAL JSON)

What do auditors typically sample to test this control?

They commonly request a set of recent separations and ask for proof each person received the post-employment obligations notice, plus the procedure that makes it repeatable. Be ready to show both design-time templates and run-time delivery evidence. (NIST SP 800-53 Rev. 5)

Footnotes

1. NIST SP 800-53 Rev. 5 OSCAL JSON