Okay, welcome back to part seven (it’s actually 8) on “What you need to know about CMMC”. I’m Bob Hanley from Sabre Systems and today we will continue our discussions on the 17 CMMC domains, as we help you in your efforts to become CMMC ready. If you remember, we discussed personnel security last week. Today, we will discuss physical protection or PE for short. Remember CMMC is about protecting controlled unclassified information (CUI) which includes lim-dis and FOUO – limited distribution and for official use only.

So, if you’re just joining us today, where are we in this journey through these CMMC domains? Let me catch everyone up – we have already reviewed seven domains: awareness training, configuration management, identification and authentication, incident response, maintenance, media protection and personnel security. Hopefully you’re beginning to see how each domain connects and relates to each other. They are complementary, so it’s important as we move on to think in those terms and get that overall perspective and understanding of these domains within
that context.

As a refresher, CMMC (cyber security maturity model certification) has five levels with five being the most stringent. All contractors and sub-contractors will need to have a minimum level one certification, but if you’re going to prime a contract you will need a minimum level three.

PE has four level one, one level two and one level three requirements and no level 4 and level 5 requirements. So, today we will discuss those level 1, level 2 and level 3 requirements. PE is focused on physical protection activities that ensure physical access to CUI, asset container locations are strictly controlled, managed and monitored in accordance with CUI protection requirements. Let’s take a look at the four level one requirements: the first one is about
limiting physical access to organizational information systems, equipment and their respective operating environments to only authorized individuals. Seems pretty straightforward. This includes locking away sensitive equipment as necessary and limiting access to authorized personnel who have been explicitly granted access to CUI. Special equipment should be used only by authorized team members, so please don’t forget that special equipment that may
be assigned to a project that contains CUI. And lastly, secured access such as doors, windows, etc. to those rooms or locations to only those who work on the program and have need for access.

Okay, the second practice is about escorting visitors and monitoring visitor activity. So, visitors include anyone without authority to access a building, indoor area. This practice primarily entails
escorting and monitoring visitors at all reasonable points within your facility or in a sensitive area and includes people you may know very well as well as people you may not know at all. So, just because you know somebody, and they may be a good friend doesn’t mean they can have unrestricted access. They have to be cleared and authorized to use that space or access that
information.

So, use of visitor badges and other alerts may be appropriate in order to give notice to those around that there is a person in the area that is not authorized to wander around. So, making sure all the people in the environment as you walk around are clearly aware that you have an
unauthorized person in that area. It’s very important to make sure you don’t have any inadvertent exposure to CUI data to that person. Remember, everyone is responsible to help keep CUIs secure. So, the more people that are aware of an unescorted person in the area or an escorted person as well the better. Report incidents of unauthorized people in a secure area without proper escorting or badging.

Third practice is about maintaining audit logs of physical access. This will allow the security team to monitor both authorized and unauthorized individual accessing the property. This can be done through a physical sign-in log, access badges, etc. Much like COVID, this enables contact tracing – should someone enter a secure facility without proper authorization and determine how that happened. Employees can have badges or key cards that enable tracking and logging access to the company’s facilities.

And the last level one practice is about controlling and managing physical access devices. This provides physical barriers to accessing the property that only authorized individuals would have a key to. This would include physical locks and keys, keypad entry, access badges, key cards, etc. This provides reasonable limits on physical access to secure areas to only those who are authorized to be there as well as those that may be escorted by authorized individuals.

Now, let’s look at one level two practice. This practice is focused on protecting and monitoring the physical facility and support infrastructure for organizational systems. This goes a step further than escorting and used in tandem with escorting can go a long way to protecting
sensitive assets. So, this can include internal security cameras, security system sensors and actual guards – all these things can enhance the security of the office beyond the base of protections
provided for in level one. These additional layers of security will result in increased responsibilities and security concerns such as the internal network of sensors and cameras and their cabling and who’s responsible for keeping all those up and running. These additional layers of security should be tracked and traced to ensure they cannot be tampered with or compromised and give a false sense of security.

And lastly, let’s take a look at the one level three practice that is focused on enforcing safeguarding measures for CUI at alternate work sites. This is extremely important especially
with increased remote work during COVID, which we have all experienced. This simply means taking the same reasonable precautions off-site that are taken on-site. Sensitive information should be locked up and protected, regardless of where it is. You should also use a VPN, virtual
private network, when connecting into the organization’s internal secure networks. This also
includes locking your computer when not using it, encrypting sensitive information, avoiding public networks, etc., some of which we have discussed already in some of the previous domains.

So, those are the six practices for PE for levels one, two and three. Tough these practices are somewhat self-explanatory and make for good common sense, there’s a deeper level of
consistency in these practices with the other domains that we have already discussed. They are
interrelated, so go back and review those previous seven domains to see those interconnections and interrelations.

So, what do you do now? Things you should, do as I always say: fund your program, become familiar with CMMC in general and with NIST SP 800-171 and 800-53. In our next review, we are going to discuss the CMMC practice for recovery or RE.
I look forward to seeing you then, for now this is Bob Hanley from Sabre Systems signing off and thanks for joining me today to talk about CMMC domains. Thank you.