Are you prepared to continue to progress on yourCyber security Maturity Model Certification (CMMC) journey?  The fourth domain in the CMMC Level 1 requirements is Physical Protection. The focus for this domain will be about limiting physical access. In this post, we will build on our understanding of the Physical Protection domain and end our discussion of this domain with the fourth and final practice, PE.1.134. 

What is a CMMC Assessment? 

A CMMC assessment is the methodology to certify that a contractor is compliant with the CMMC standard. CMMC Third Party Assessment Organizations (C3PAOs) carry out this methodology and evaluate your company’s unclassified networks. The CMMC evaluation process gives contractors guidance for a specific CMMC level (1-5); if you pass this process, the C3PAO issues the appropriate CMMC certificate. Passing a level 1 assessment, for example, confirms that you’re meeting the basic safeguarding requirements for Federal Contract Information (FCI). FCI is information not marked as public or for public release (specified in FAR Clause 52.204-21). 

What is Physical Protection – PE.1.134? 

The final practice in the Physical Protection domain is PE.1.134. This practice has a specific requirement to “Control and manage physical access devices”. As we have previously discussed, this domain has had practices continuously build up on each other, and this is the case here as well. We discussed how to manage employees and visitors, establish audit logs for physical access, and now the focus is on controlling and managing physical access devices. Physical access devices include keys, locks, combinations, and card readers, to name a few. These allow you to control who has access to areas in your facilities as well as your systems. This is one of the most important aspects of physical security. Securing and establishing appropriate levels of access within your organization will ensure that your security cannot be compromised.  

Implementing this practice in your organization will vary. Some organizations will establish simple levels like locks to restrict access, and others will implement high tech card readers and scanners to deviate access. You do not have to have the fanciest equipment to meet the requirements in this practice. As long as your organization has physical access to facilities that should not be accessible otherwise restricted appropriately depending on who should be able to access them, you are already well towards achieving this practice. Verifying that you also review and maintain these devices (i.e., changing locks, running checks on card readers), as well as grant/remove access as necessary will also be important for this requirement as well. 

What are the PE.1.134 Assessment Objectives and Objects? 

Assessment procedures consist of an objective and a set of objects. The assessment objective includes a determination statement related to the CMMC practice content to ensure traceability of assessment results to requirements. These results determine if a practice is satisfied. Assessmentobjects specify the specific items that a C3PAO assesses (e.g., mechanisms, activities, and individuals). 

PE.1.134 assessment objectives: Physical access devices are identifiedphysical access devices are controlled, physical access devices are managed. 

PE.1.134 assessment objects:A C3PAO can assess document-based artifacts associated with your system, hardware, software, or firmware safeguards, protection-related actions supporting your system that involves people, and any other personnel related to these elements. 

What are the Assessment Methods forPE.1.134?  

Assessment methods define the nature and extent of assessors’ actions (e.g., examining, interviewing, and testing). They are outlined below for PE.1.134. 

Examine: This method refers to reviewing, inspecting, observing, studying, or analyzing assessment objects. A C3PAO could examine inventory records of physical access control devices, records of key and lock combination changes, storage locations for physical access control devices.

Interview: This method refers to the process of holding discussions with individuals or groups to facilitate understanding, achieve clarification, or obtain evidence. A C3PAO could interview personnel with physical access control responsibilities or personnel with information security responsibilities. 

Inspect: This method is the process of exercising assessment objects under specified conditions to compare actual behavior with expected behavior. A C3PAO could further inspect organizational processes for physical access control​, mechanisms supporting or implementing physical access controlor physical access control devices​. 

How Do I know if I’m Complying to the PE.1.134 Practice?

Physical Protection is a domain that builds upon the concepts of Access Control, and establishes some more specifics that require attention. You may already have made progress and set measures in place to ensure that you are working towards complying with this practice and its requirements, but you might be wary of what C3PAO’s might assess and how you would stand in an assessment. If this is the case, taking a free CMMC self-assessment can help you gauge where you are in the CMMC compliance process for this domain. Taking this next step can help you better you’re standing towards compliance, and take you one step closer in achieving CMMC Level 1 certification.