CMMC Practice Number: PE.L1-3.10.4
CMMC Level: 1 CMMC Domain: Physical Protection (PE)
Practice Summary:
Maintain audit logs of physical access.
Contents:
CMMC Practice Implementation |
Assessment Objectives
Determine if:
[a] audit logs of physical access are maintained.
Practice Clarification (DOD, CMU)
Make sure you have a record of who accesses your facility (e.g., office, plant, factory) [a]. You can do this in writing by having employees and visitors sign in and sign out or by electronic means such as badge readers. Whatever means you use, you need to retain the access records for the time period that your company has defined [a].
Example
You and your coworkers like to have friends and family join you for lunch at the office on Fridays. Your small company has just signed a contract with the DoD, however, and you now need to document who enters and leaves your facility. You work with the reception staff to ensure that all non-employees sign in at the reception area and sign out when they leave [a]. You retain those paper sign-in sheets in a locked filing cabinet for one year. Employees receive badges or key cards that enable tracking and logging access to company facilities.
Potential Assessment Considerations
• Are logs of physical access to sensitive areas (both authorized access and visitor access) maintained per retention requirements [a]?
• Are visitor access records retained for as long as required [a]?
Where To Look
- Physical and environmental protection policy
- procedures addressing physical access control
- system security plan
- physical access control logs or records
- inventory records of physical access control devices
- system entry and exit points
- records of key and lock combination changes
- storage locations for physical access control devices
- physical access control devices
- list of security safeguards controlling access to designated publicly accessible areas within facility
- other relevant documents or records
Who To Talk To
- Personnel with physical access control responsibilities
- personnel with information security responsibilities
Perform Test On
- Organizational processes for physical access control
- mechanisms supporting or implementing physical access control
- physical access control devices
Additional Information
This requirement applies to company employees and visitors. Individuals (employees with physical access control responsibilities, employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Companies determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users.
Physical access devices include keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within company facilities include cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas.
Companies have flexibility in the types of audit logs they employ. Audit logs can be procedural, implemented by employees with physical access control responsibilities, a written log of individuals accessing the facility and when such access occurred), automated (employees with physical access control responsibilities, capturing ID provided by a smart card or badge), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both.
Components of company information systems (e.g., employees with physical access control responsibilities, workstations, terminals) may be in areas designated as publicly accessible with organizations safeguarding access to such devices.
CMMC Practice Background and References (DOD, CMU) |
Practice Discussion:
DISCUSSION FROM SOURCE: NIST SP 800-171 R2
Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to systems or system components requiring supplemental access controls, or both. System components (e.g., workstations, notebook computers) may be in areas designated as publicly accessible with organizations safeguarding access to such devices.
CMMC References:
· FAR Clause 52.204-21 Partial b.1.ix
· NIST SP 800-171 Rev 1 3.10.4
· NIST SP 800-53 Rev 4 PE-3