CMMC Practice Number: PE.L1-3.10.5
CMMC Level: 1 CMMC Domain: Physical Protection (PE)
Practice Summary:
Control and manage physical access devices.
Contents:
CMMC Practice Implementation |
Assessment Objectives
Determine if:
[a] physical access devices are identified;
[b] physical access devices are controlled; and
[c] physical access devices are managed.
Practice Clarification (DOD, CMU)
Identifying and controlling physical access devices (e.g., locks, badges, key cards) is just as important as monitoring and limiting who is able to physically access certain equipment [a,b]. Physical access devices are only strong protection if you know who has them and what access they allow [c]. Physical access devices can be managed using manual or automatic processes such a list of who is assigned what key, or updating the badge access system as personnel change roles [c].
Example
You are a facility manager. A team member retired today and returns their company keys to you. The project on which they were working requires access to areas that contain equipment with FCI. You receive the keys, check your electronic records against the serial numbers on the keys to ensure all have been returned, and mark each key returned [c].
Potential Assessment Considerations
• Are lists or inventories of physical access devices maintained (e.g., keys, facility badges, key cards) [a]?
• Is access to physical access devices limited (e.g., granted to, and accessible only by, authorized individuals) [b]?
• Are physical access devices managed (e.g., revoking key card access when necessary, changing locks as needed, maintaining access control devices and systems) [c]?
Where To Look
- Physical and environmental protection policy
- procedures addressing physical access control
- system security plan
- physical access control logs or records
- inventory records of physical access control devices
- system entry and exit points
- records of key and lock combination changes
- storage locations for physical access control devices
- physical access control devices
- list of security safeguards controlling access to designated publicly accessible areas within facility
- other relevant documents or records
Who To Talk To
- Personnel with physical access control responsibilities
- personnel with information security responsibilities
Perform Test On
- Organizational processes for physical access control
- mechanisms supporting or implementing physical access control
- physical access control devices
Additional Information
Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users.
Physical access devices include keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within company facilities include cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas.
Companies have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a smart card or badge), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both.
Components of company information systems(e.g., workstations, terminals) may be in areas designated as publicly accessible with organizations safeguarding access to such devices.
CMMC Practice Background and References (DOD, CMU) |
Practice Discussion:
DISCUSSION FROM SOURCE: NIST SP 800-171 R2
Physical access devices include keys, locks, combinations, and card readers.
CMMC References:
· FAR Clause 52.204-21 Partial b.1.ix
· NIST SP 800-171 Rev 1 3.10.5
· CERT RMM v1.2 KIM:SG4.SP2
· NIST SP 800-53 Rev 4 PE-3