CMMC 2.0 Insights
Level 2
Select Domain for Level 2
Domain Name
Access Control (AC)
Audit & Accountability (AU)
Awareness & Training (AT)
Configuration Management (CM)
Identification & Authentication (IA)
Incident Response (IR)
Maintenance (MA)
Media Protection (MP)
Personnel Security (PS)
Physical Protection (PE)
Risk Assessment (RA)
Security Assessment (CA)
Systems & Communications Protection (SC)
System & Information Integrity (SI)
| DOMAIN: Physical Protection |
|
Practice:PE.L1-3.10.1
|
CAPABILITY: C028 Limit Physical access
|
|
Limit Physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. |
|
Threat Actors:
Foreign intelligence services may:
1) Discover and seek out locations in your building that have sensitive equipment or information
2) Seek access or enter sensitive locations where there are no effective card key systems, guards, cameras, etc.
Assessment NOTES: A CMMC assessor may want to review, observe, or test the following· Lists of personnel with authorized physical access/credentials who are identified and reviewed periodically for appropriate access – may also be asked how often the review is performed and to provide evidence of reviews.
· Identified areas that control physical access to organizational systems, production systems, equipment or as defined by company policy.
· Physical security protections used to monitor and restrict access to controlled areas, such as guards, cameras, locks, badges etc.
· The location of output devices such as printers are placed in areas that do not expose data to unauthorized employees.
|
Practice:PE.L1-3.10.3
|
CAPABILITY: C028 Limit Physical access
|
|
Escort visitors and monitor visitor activity. |
|
Threat Actors:
Threat actors or foreign intellligence service personnel can be very aggressive and inquisitive in and around secure facilities.
They may:
i) seek escorted or unescorted access
ii) use photography/recording devices
iii) ask intrusive questions pertaining to the work location, employees, work performed, etc
Assessment NOTES: A CMMC assessor may want to review, observe, or test the following· Policy or procedures related to physical protections to determine if all visitors to sensitive areas are escorted by an authorized employee and monitored e.g., access control device, guard, camera etc.
· Visitor logs, access control system logs, or documentation of validation (testing).
Click here to see detailsCopyright © 2022 Celerium. All Rights Reserved.