Last Updated on June 29, 2021
The Cybersecurity Maturity Model Certification (CMMC) is an information security standard from the US Department of Defense (DoD). Its goal is nothing short of ensuring protection for Controlled Unclassified Information (CUI) across the 300,000-member defense industrial base (DIB) worldwide.
CMMC defines 171 practices (controls), each of which falls into 1 of 17 domains (control families). To provide additional structure, each practice is also mapped onto 1 of 43 capabilities and falls under one of the CMMC’s five cybersecurity maturity levels.
While it doesn’t include a lot of controls, Physical Protection (PE) is as critical as any of the CMMC domains—because physical and logical access are inseparable. Your physical perimeter is your first line of defense. If you can’t physically protect your assets from unauthorized tampering, there’s no way you can secure them with logical controls. The prevalence of insider threats serves to strongly underscore this point.
The CMMC states, “Physical Protection activities ensure that physical access to CUI asset containers is strictly controlled, managed, and monitored in accordance with CUI protection requirements.” That means protecting your facilities, staff and systems from physical threats like unauthorized access, theft or damage. An unescorted adversary loose in your premises can wreak havoc in minutes!
As a core family of controls that every business needs to stay operational, never mind protect CUI, the Physical Protection domain applies across the lowest CMMC levels: 1, 2 and 3. It includes six practices altogether.
The Physical Protection domain includes just one capability:
- Limit physical access
What are the CMMC Physical Protection Domain Practices?
Four of the six Physical Protection domain practices come into play at CMMC Level 1:
- 1.131 Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
This control requires you to identify all the areas within your physical premises that you want to block unauthorized individuals from physically contacting. This could include rooms, floors of a building, your network gear, your CEO’s laptop, and so on. Only authorized staff or third parties who need physical access to do their jobs should ever contact these spaces. To effectively limit access you can use biometrics, badge readers, key cards, human guards, and so on.
- 1.132 Escort visitors and monitor visitor activity.
This practice mandates that you never allow site visitors/non-employees, even if known to you, to “wander” unescorted around your facility. Visitors should prominently wear visitor badges and/or be escorted by a properly trained employee at all times while on your property.
- 1.133 Maintain audit logs of physical access.
To comply with this practice you’ll need to keep records of everyone who accesses your premises and your equipment. This could be as simple as a sign-in/sign-out book.
- 1.134 Control and manage physical access devices.
“Physical access devices” refers to locks, keys, lock combinations, card readers, etc. Such devices only offer protection if you know who has them and what level of access they’re configured to permit. Therefore, you need to carefully manage who can physically access them. Making sure employees leaving the organization turn in ID badges and office keys, disabling old badges, etc. are also primary considerations.
CMMC Level 2 includes one Physical Protection domain practice:
- 2.135 Protect and monitor the physical facility and support infrastructure for organizational systems.
“Monitoring” includes protections like video surveillance gear, sensors/alarms and human guards. “Support infrastructure” could include things like data transmission wires and power lines inside your facility. The goal is to prevent both physical tampering and accidental damage or disruption to infrastructure that carries sensitive data. This might require you to put in place things like locked wiring cabinets, physical protection around cables or conduit, or even wiretapping sensors. A typical example would be installing video cameras and secure locks at the entrance to your server room.
CMMC Level 3 includes one final Physical Protection domain practice:
- 3.136 Enforce safeguarding measures for CUI at alternate work sites.
Especially since COVID-19, “alternate work sites” often include not only government facilities or temporary office space, but employees’ private homes. This practice says you must define physical and/or electronic security safeguards to protect CUI “beyond the perimeter” at specific alternate work sites or site types, depending on the work-related activities that take place there. For example, staff working with CUI from home could be required to use only company laptops equipped with patch management, anti-virus, and full-disk encryption, and to access your internal network only with VPN connectivity via two-factor authentication.
What is needed to comply with the CMMC Physical Protection Domain controls?
Most companies have basic physical security in place so that criminals don’t walk in off the street to steal mobile devices and peoples’ personal items. But even at CMMC Level 1, limiting physical access and proving information assets are protected could include significant investments. For example, there might be parts of your premises that you haven’t bothered to adequately secure up until now. Or you may simply have casual guest/friend practices that you’ll need to amend.
To meet the requirements for handling CUI (defined by CMMC Level 3 and above), you’ll need a verifiably secure “telework” strategy if you don’t already have one. You might also need to amp up your current level of monitoring and protection of physical infrastructure, which is easy to overlook but required to protect CUI.
Of course, you not only need to protect the infrastructure, but also the protections themselves, so they can’t be compromised or tampered with to give you a false sense of security (as seen on TV, right?).
Need to make sure you’re in compliance with CMMC at a particular level? Contact Pivot Point Security to talk over your company’s unique needs with a CMMC expert.