PS-5 Personnel Transfer
Control
a.
Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;
b.
Initiate [Assignment: organization-defined transfer or reassignment actions] within [twenty-four (24) hours];
c.
Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and
d.
Notify [including access control personnel responsible for the system] within [twenty-four (24) hours].
Discussion
Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended duration as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts.
FedRAMP-Defined Assignment / Selection Parameters
- PS-5 (b) [twenty-four (24) hours] - the time period within which transfer or reassignment actions must occur following transfer or reassignment is defined;
- PS-5 (d) [including access control personnel responsible for the system] - personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization is/are defined;
- PS-5 (d) [twenty-four (24) hours] - time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization is defined;