Learn More About CMMC and NIST Compliance
Check out some of our technology and DOD cybersecurity articles.
Contact us
About SSE
SSE is a certified Women-Owned Small Business with over 30 years of experience in both the technology and training industries, serving commercial and government markets.
Physical Protection Practices are a critical part of any comprehensive security program, as well as an essential aspect of NIST 800-171 compliance and protecting Controlled Unclassified Information (CUI). To help companies comply with the physical security requirements portion of Cybersecurity Maturity Model Certification (CMMC), the following is a breakdown of these practices at each level of CMMC.
CMMC Level 1 Physical Protection Practices
Four Physical Protection Practices are implemented at CMMC Level 1. These practices include:
PE.L1-3.10.1 Limit physical access to authorized individuals to organizational information systems, equipment, and the respective operating environments
To comply with this control, companies must identify all the areas within their physical premises that they want to block unauthorized individuals from accessing. This could include rooms, building floors, network infrastructure, server rooms, and computers and laptops. Then, only authorized staff or third parties who need physical access to do their jobs should be allowed to contact these spaces. To effectively limit physical access control, companies can use biometrics, badge readers, key cards, human guards, and so on.
PE.L1-3.10.3 Escort visitors and monitor visitor activity
This practice mandates that companies never allow site visitors/non-employees, even if known to them, to “wander” unescorted around their facilities should prominently wear visitor badges and/or be escorted by a properly trained employee at all times while on the property.
PE.L1-3.10.4 Maintain audit logs of physical access
To comply with this practice, companies must keep records of everyone physically accessing their data storage, premises, organizational systems and equipment. This could be as simple as a sign-in/sign-out book.
PE.L1-3.10.5 Control and manage physical access devices
This control refers to physical devices: locks, keys, lock combinations, card readers, etc. Such devices only offer protection if companies know who has them and what level of physical access devices they’re configured to permit. Therefore, companies need to manage who can physically access them carefully. Ensuring employees leaving the organization turn in their ID and office keys, disabling old badges, etc., are also primary considerations.
Companies should implement appropriate Access Control policies and procedures to comply with these controls, such as background checks, employee training, employee off-boarding, and a strong visitor management program. Companies should also monitor secured areas of their physical environment for any signs of unauthorized access or suspicious activity.
To view the full text of each CMMC control, view the Level 1 Self-Assessment Guide here.
CMMC Level 2 Physical Protection Practices
At CMMC Level 2, there are two Physical Protection practices:
PE.L2-3.10.2 Protect and monitor the physical facility and support infrastructure for organizational systems.
“Monitoring” includes protections like video surveillance gear, sensors/alarms, and human guards. “Support infrastructure” could consist of physical security controls like data transmission wires and power lines inside the facility. The goal is to prevent physical tampering and accidental damage or disruption to infrastructure carrying sensitive data. This might require companies to put in place physical infrastructure to protect assets within scope like locked wiring cabinets, physical protection around cables or conduits, or even wiretapping sensors. A typical example would be installing video cameras and secure locks at the entrance to the server room.
To comply with security requirements for this control, companies should conduct regular physical security assessments to identify vulnerabilities and areas for improvement. Physical access controls should also be implemented to restrict or limit access to sensitive areas only to authorized individuals and ensure that all visitors are properly vetted and monitored while on the premises.
PE.L2-3.10.6 Enforce safeguarding measures for CUI at alternate work sites.
Especially since COVID-19, “alternate work sites” often include government facilities, temporary office spaces, and employees’ private homes. This practice says companies must define physical or electronic security safeguards to protect CUI “beyond the perimeter” at specific alternate work sites or site types, depending on the work-related activities that take place there. For example, staff working with CUI from home could be considered an alternate work site.
CMMC Level 3 Physical Access Control
At CMMC Level 3, the final physical access control is:
PELL2-3.10.6 Enforce safeguarding measures for CUI at alternate work sites.
Especially since COVID-19, “alternate work sites” often include government facilities, temporary office spaces, and employees’ private homes. This practice says companies must define physical or electronic security safeguards to protect CUI “beyond the perimeter” at specific alternate work sites or site types, depending on the work-related activities that take place there. For example, staff working with CUI from home could be considered an alternate work site.
Unsure About Your Physical Protection Compliance?
Navigating the world of CMMC compliance can be overwhelming. Ensuring your organization’s electronic logs and physical access controls meet the requirements is just one piece of the puzzle. That’s why it’s essential to partner with a reliable and experienced CMMC compliance service provider to ensure you meet all the requirements.
At SSE, we offer a CMMC readiness assessment to evaluate your current level of compliance and identify any gaps that need to be addressed. Then, our team of experts will work with you to create a customized plan to help you achieve and maintain compliance with CMMC guidelines, including physical facility access controls.
Our comprehensive services include the following:
Don’t risk non-compliance with CMMC requirements, which could result in lost contracts and reputational damage. Instead, contact SSE today to schedule your CMMC readiness assessment, and let us help you navigate the complex world of CMMC compliance.