CMMC Practice AC.4.025
Periodically review and update CUI program access permissions.
Bold Coast Security Guidance
You must regularly review the list of users with access to sensitive data, such as CUI. This is easily accomplished if you are using groups in Active Directory. You may also have specific applications with their own security users which should be reviewed regularly. The scenarios described above is often called "permissions creep" where users are often given new permissions as they are transferred in an organization, but the old permissions are never removed. This usually happens because there is a period of time where the user will work in two areas at once.
You can review group membership and track any exceptions, such as a user who should have been removed early, to identify gaps in your user add/remove/change processes. Note that just because you have disabled an active directory user, you still must disable that user in any applications with its own list of users not tied to Active Directory. While you are reviewing the users who have access to the application, you should also check that they still have the correct level of access.
A common strategy is to require managers to re-approve their employee's roles and permissions on an annual basis during their review.
Organizations must maintain the authorizations for access to CUI information on a regular basis, considering whether existing authorizations are still needed or new authorization are required, and update the authorizations accordingly. Reviews of access take into consideration mission/business needs and maintain the organization’s implementation of the principle of least privilege.