Are you prepared to continue to progress on your Cybersecurity Maturity Model Certification (CMMC) journey? The fourth domain in the CMMC Level 1 requirements is Physical ProtectionThe focus for this domain will be about limiting physical access. In this post, we will build on our understanding of the Physical Protection domain and continue our discussion with the second practice, PE.1.132. 

What is a CMMC Assessment? 

A CMMC assessment is the methodology to certify that a contractor is compliant with the  CMMC standard. CMMC Third Party Assessment Organizations (C3PAOs) carry out this methodology and evaluate your company’s unclassified networks. The CMMC evaluation process gives contractors guidance for a specific CMMC level (1-5); if you pass this process, the C3PAO issues the appropriate CMMC certificate. Passing a level 1 assessment, for example, confirms that you’re meeting the basic safeguarding requirements for Federal Contract Information (FCI). FCI is information not marked as public or for public release (specified in FAR Clause 52.204-21). 

What is Physical Protection – PE.1.132? 

The second practice in the Physical Protection Domain is PE.1.132. It has a requirement to “Escort visitors and monitor visitor activity”. This practice builds upon the previous practice, as the focus for PE.1.131 was on employees, whereas this practice focuses on visitors. A visitor is anyone that is not an individual with permanent physical access authorization credentials. Even if you have a well-known friend or family member that you trust, you must have these individuals be escorted through organizational facilities at all times. Adding identification to visitors is important as well, whether that be through a sign in sheet or a visitor badge. The most important part of this requirements comes from monitoring the individuals and their movements, ensuring that they are not accessing off limit areas, that organizational information is properly secured and not easily accessible to them, and that there are audit logs of whatever interactions the visitors made until they leave. 

To work towards achieving this practice, you have to ensure your organization has a system set in place to handle visitors. A check-in process with an identification method is the first step, with the next steps being monitoring the individual’s activity and ensuring that all your organizational information is properly secured. The practices in the Physical Protection domain require you to have previous practices properly implemented, as without proper access established in your organization as defined in PE.1.131 means that visitors can easily compromise your information. It is important to be wary of this. 

What are the PE.1.132 Assessment Objectives and Objects?  

Assessment procedures consist of an objective and a set of objects. The assessment objective includes a determination statement related to the CMMC practice content to ensure traceability of assessment results to requirements. These results determine if a practice is satisfied. Assessmentobjects specify the specific items that a C3PAO assesses (e.g., mechanisms, activities, and individuals). 

PE.1.132 assessment objectives: Visitors are escorted, and visitor activity is monitored.

PE.1.132assessment objects:A C3PAO can assess document-based artifacts associated with your system, hardware, software, or firmware safeguards, protection-related actions supporting your system that involves people, and any other personnel related to these elements. 

What are the Assessment Methods forPE.1.132 

Assessment methods define the nature and extent of assessors’ actions (e.g., examining, interviewing, and testing). They are outlined below for PE.1.132 

Examine: This method refers to reviewing, inspecting, observing, studying, or analyzing assessment objects. A C3PAO may examine your physical access control logs or records, inventory records of physical access control devices​, or system entry and exit points. 

Interview: This method refers to the process of holding discussions with individuals or   groups to facilitate understanding, achieve clarification, or obtain evidence. Personnel with physical access control responsibilities or personnel with information security responsibilities may be interviewed by a C3PAO for this method. 

Inspect: This method is the process of exercising assessment objects under specified conditions to compare actual behavior with expected behavior. This can include inspecting organizational processes for physical access control as well as physical access control devices. 

How Do I know if I’m Complying to the PE.1.13Practice? 

Physical Protection is a domain that builds upon the concepts of Access Control, and establishes some more specifics that require attention. You may already have made progress and set measures in place to ensure that you are working towards complying with this practice and its requirements, but you might be wary of what C3PAO’s might assess and how you would stand in an assessment. If this is the case, taking a free CMMC self-assessment can help you gauge where you are in the CMMC compliance process for this domain. Taking this next step can help you better your standing towards compliance, and take you one step closer in achieving CMMC Level 1 certification.