Are you prepared to continue to progress on your Cybersecurity Maturity Model Certification (CMMC) journey? The fourth Domain covered in CMMC Level 1 is Physical Protection. The focus for this domain will be about limiting physical access. In this post, we will discuss the first practice in this domain, PE.1.131. 

What is a CMMC Assessment? 

A CMMC assessment is the methodology to certify that a contractor is compliant with the CMMC standard. CMMC Third Party Assessment Organizations (C3PAOs) carry out this methodology and evaluate your company’s unclassified networks. The CMMC evaluation process gives contractors guidance for a specific CMMC level (1-5); if you pass this process, the C3PAO issues the appropriate CMMC certificate. Passing a level 1 assessment, for example, confirms that you’re meeting the basic safeguarding requirements for Federal Contract Information (FCI). FCI is information not marked as public or for public release (specified in FAR Clause 52.204-21). 

What is Physical Protection – PE.1.131? 

The first practice in the Physical Protection domain, PE.1.131, has a requirement to “Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals”. The most important thing to note is that this requirement applies to employees, individuals with permanent physical access authorization credentials, and visitors, but does not apply to facilities or areas that have been deemed publicly accessible. This practice will focus on supplying authorized individuals with appropriate access through mediums such as key cards or badges, as well as maintaining access to equipment such as locking your organizational systems in rooms. 

 The first step to take in achieving this practice is to step back and identify what in your organizational space (which includes your organizations network) needs to be secured so it is not physically accessible. From there, you have to begin establishing levels of access to certain areas in accordance with the security standards at your company. For example, if an employee should not have certain access to an area because of their job title, then the area should be appropriately secured to make it inaccessible to those without permission. After establishing levels, monitoring everything consistently and retaining logs of areas accessed is the way to move forward in achieving the requirements this practice entails.  

What are the PE.1.131 Assessment Objectives and Objects? 

Assessment procedures consist of an objective and a set of objects. The assessment objective includes a determination statement related to the CMMC practice content to ensure traceability of assessment results to requirements. These results determine if a practice is satisfied. Assessment objects specify the specific items that a C3PAO assesses (e.g., mechanisms, activities, and individuals). 

PE.1.131 assessment objectives: Authorized individuals allowed physical access are identified, physical access to equipment is limited to authorized individuals, physical access to operating environments is limited to authorized individuals. 

PE.1.131 assessment objects: A C3PAO can assess document-based artifacts associated with your system, hardware, software, or firmware safeguards, protection-related actions supporting your system that involves people, and any other personnel related to these elements. 

 What are the Assessment Methods for PE.1.131? 

 Assessment methods define the nature and extent of assessors’ actions (e.g., examining, interviewing, and testing). They are outlined below for PE.1.131: 

 Examine: This method refers to reviewing, inspecting, observing, studying, or analyzing assessment objects. In regards to PE.1.131, a C3PAO may examine physical and environmental protection policy, physical access termination records and associated documentation. 

 Interview: This method refers to the process of holding discussions with individuals or groups to facilitate understanding, achieve clarification, or obtain evidence. A C3PAO may interview personnel with physical access authorization responsibilities, personnel with physical access to system facility 

 InspectThis method is the process of exercising assessment objects under specified conditions to compare actual behavior with expected behavior. All assessment objects that a C3PAO can examine for PE.1.131 are susceptible to testing, as well as organizational processes for physical access authorizations. 

 How Do I Know if I’m Complying to the PE.1.131 Practice? 

Physical Protection is a domain that builds upon the concepts of Access Control, and establishes some more specifics that require attention. You may already have made progress and set measures in place to ensure that you are working towards complying with this practice and its requirements, but you might be wary of what C3PAO’s might assess and how you would stand in an assessment. If this is the case, taking a free CMMC self-assessment can help you gauge where you are in the CMMC compliance process for this domain. Taking this next step can help you better your standing towards compliance, and take you one step closer in achieving CMMC Level 1 certification.