CMMC Practice Number: PE.L2-3.10.2
CMMC Level: 2 CMMC Domain: Physical Protection (PE)
Practice Summary:
Protect and monitor the physical facility and support infrastructure for organizational systems.
Contents:
CMMC Practice Implementation |
Assessment Objectives
Determine if:
[a] the physical facility where organizational systems reside is protected;
[b] the support infrastructure for organizational systems is protected;
[c] the physical facility where organizational systems reside is monitored; and
[d] the support infrastructure for organizational systems is monitored.
Practice Clarification (DOD, CMU)
The infrastructure inside of a facility, such as power and network cables, is protected so that visitors and unauthorized employees cannot access it [a,b]. The protection is also monitored by security guards, video cameras, sensors, or alarms [c,d].
Example
You are responsible for protecting your IT facilities. You install video cameras at each entrance and exit, connect them to a video recorder, and show the camera feeds on a display at the reception desk [c,d]. You also make sure there are secure locks on all entrances, exits, and windows to the facilities [a,b].
Potential Assessment Considerations
• Is physical access monitored to detect and respond to physical security incidents [c, d]?
Where To Look
- Physical and environmental protection policy;
- procedures addressing physical access monitoring;
- system security plan;
- physical access logs or records;
- physical access monitoring records;
- physical access log reviews;
- other relevant documents or records.
Who To Talk To
- Personnel with physical access monitoring responsibilities;
- personnel with incident response responsibilities;
- personnel with information security responsibilities.
Perform Test On
- Organizational processes for monitoring physical access;
- mechanisms supporting or implementing physical access monitoring;
- mechanisms supporting or implementing the review of physical access logs.
Additional Information
Company incident response capabilities include investigations of and responses to detected physical security incidents. Security incidents include, for example, apparent security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses.
CMMC Practice Background and References (DOD, CMU) |
Practice Discussion:
DISCUSSION FROM SOURCE: NIST SP 800-171 R2
Monitoring of physical access includes publicly accessible areas within organizational facilities. This can be accomplished, for example, by the employment of guards; the use of sensor devices; or the use of video surveillance equipment such as cameras. Examples of support infrastructure include system distribution, transmission, and power lines. Security controls applied to the support infrastructure prevent accidental damage, disruption, and physical tampering. Such controls may also be necessary to prevent eavesdropping or modification of unencrypted transmissions. Physical access controls to support infrastructure include locked wiring closets; disconnected or locked spare jacks; protection of cabling by conduit or cable trays; and wiretapping sensors.
CMMC References:
· NIST SP 800-171 Rev 1 3.10.2
· NIST CSF v1.1 PR.AC-2
· CERT RMM v1.2 KIM:SG4.SP2
· NIST SP 800-53 Rev 4 PE-6