Are you prepared to continue to progress on your Cyber security Maturity Model Certification (CMMC) journey? The fourth domain in the CMMC Level 1 requirements is Physical Protection. The focus for this domain will be about limiting physical access. In this post, we will build on our understanding of the Physical Protection domain and continue our discussion with the third practice, PE.1.133.
What is a CMMC Assessment?
A CMMC assessment is the methodology to certify that a contractor is compliant with the CMMC standard. CMMC Third Party Assessment Organizations (C3PAOs) carry out this methodology and evaluate your company’s unclassified networks. The CMMC evaluation process gives contractors guidance for a specific CMMC level (1-5); if you pass this process, the C3PAO issues the appropriate CMMC certificate. Passing level 1 assessment, for example, confirms that you’re meeting the basic safeguarding requirements for Federal Contract Information (FCI). FCI is information not marked as public or for public release (specified in FAR Clause 52.204-21).
What is Physical Protection – PE.1.133?
The third practice in the Physical Protection Domain is PE.1.133. It states a requirement to “Maintain audit logs of physical access”. This practice begins to get into the more specific aspects of physical protection. After the focus on employees and visitors as well as secure practices for physical security, it is important to be cognizant of who is accessing what in your organization. This is best done through the implementation of audit logs, which establish a record of what is being accessed or used, and by who. Audit logs can be procedural (e.g., a written log of individuals accessing the facility), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access can refer to facility access points and system or system component (i.e., workstations) access points.
The way to implement this requirement in your organization is to simply maintain audit logs, as the practice suggests. Organizations have flexibility when it comes to how they wish to implement this, and you can use whatever type of audit logs that works best for your company. It is not an option to not include them, as it poses a serious security risk to your organization, especially when it comes to physical security.
What are the PE.1.133 Assessment Objectives and Objects?
Assessment procedures consist of an objective and a set of objects. The assessment objective includes a determination statement related to the CMMC practice content to ensure traceability of assessment results to requirements. These results determine if a practice is satisfied. Assessment objects specify the specific items that a C3PAO assesses (e.g., mechanisms, activities, and individuals).
PE.1.133 assessment objectives: Audit logs of physical access are maintained.
PE.1.133 assessment objects: A C3PAO can assess document-based artifacts associated with your system, hardware, software, or firmware safeguards, protection-related actions supporting your system that involves people, and any other personnel related to these elements.
What are the Assessment Methods for PE.1.133?
Assessment methods define the nature and extent of assessors’ actions (e.g., examining, interviewing, and testing). They are outlined below for PE.1.133.
Examine: This method refers to reviewing, inspecting, observing, studying, or analyzing assessment objects. A C3PAO may examine procedures addressing physical access control, physical access control logs or records, or system entry or exit points.
Interview: This method refers to the process of holding discussions with individuals or groups to facilitate understanding, achieve clarification, or obtain evidence. Personnel with physical access control responsibilities or personnel with information security responsibilities may be interviewed.
Inspect: This method is the process of exercising assessment objects under specified conditions to compare actual behavior with expected behavior. A C3PAO could inspect organizational processes for physical access control, mechanisms supporting or implementing physical access control, or physical access control devices.
How Do I know if I’m Complying to the PE.1.133 Practice?
Physical Protection is a domain that builds upon the concepts of Access Control, and establishes some more specifics that require attention. You may already have made progress and set measures in place to ensure that you are working towards complying with this practice and its requirements, but you might be wary of what C3PAO’s might assess and how you would stand in an assessment. If this is the case, taking a free CMMC self-assessment can help you gauge where you are in the CMMC compliance process for this domain. Taking this next step can help you better you’re standing towards compliance, and take you one step closer in achieving CMMC Level 1 certification.