Welcome to our comprehensive Physical Protection guide for CMMC Level 2.0 Compliance. This guide is tailored to support DoD contractors and businesses striving for robust compliance with CMMC Level 2 standards for physical security. In this guide, you’ll find clear, actionable steps to implement effective physical access control measures that safeguard Controlled Unclassified Information (CUI) from unauthorized access.
Physical security for CMMC Level 2.0 compliance is not only critical for protecting sensitive data but also essential for maintaining operational integrity. This guide covers crucial components such as facility monitoring, security cameras for CMMC compliance, and strategies for incident response to help you meet requirements confidently and cost-effectively.
If you’re looking for expert guidance on physical protection or broader CMMC compliance, we offer a free consultation to provide tailored solutions that secure your data and strengthen compliance across your operations.
“Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.”
Level Of Effort: High
This control is about physical protection by limiting who can physically get to your business's computers, equipment, and related areas. It's only for people who have permission. The goal is to control who can handle or be near sensitive hardware and information.
Recommendations:
Lock all doors to CUI areas: This includes both doors inside your building and outside. If your workplace has big open areas, like in manufacturing with roll-up doors, think about putting up fences to limit access.
Evidence:
For door security: Keep your System Security Plan (SSP) up to date with information on how these doors are being locked. Check that there’s no way for someone to walk into where the CUI is kept.
PE.L1-3.10.3 – ESCORT VISITORS
“Escort visitors and monitor visitor activity.”
Level Of Effort: Low
This physical protection control ensures that when visitors come to your facility, they are always with someone who has permission to be there. It also says you need to keep a close eye on what the visitors do while they are there.
Recommendations:
Develop a strict visitor policy - this should include:
A sign-in method for all visitors. You can use a logbook with a person in charge or a computer system that tracks who comes in.
Give visitors a badge or ID to wear (at all times) while they are in the building.
Make sure visitors who don't come often are with an employee at all times in areas with CUI.
Evidence:
For visitor policy: Keep your SSP updated with these visitor rules.
Visitor log: Have a record of all visitors who come in.
Pro Tip: If you have trusted visitors who come often like a regular I.T. engineer, you might give them a special badge for more access. But, remember to write down who has these badges and what steps you took to decide they could have one.
PE.L1-3.10.4 – PHYSICAL ACCESS LOGS
“Maintain audit logs of physical access.”
Level Of Effort: High
When it comes to keeping track of who comes into your building and certain areas within it, having a system to log this information is essential for this control. This is about making sure you know who's been where, especially in sensitive spots. These logs can be simple sign-in sheets or more high-tech like badge readers.
Recommendations:
Set up a badge system: Consider using a card badge system for entering your building and for access to sensitive areas, like a server room. These systems not only control access but also keep logs of who enters and when. Plus, it's easier to manage than changing locks whenever someone leaves the company.
Evidence:
For the badge system: Keep your SSP updated with information about this badge system.
Badge system logs: Make sure to save the logs generated by the badge system. This is your record of who accessed different areas and when.
This control is about managing physical access like keys, locks, and card readers. The goal is to know who has these and ensure they are controlled properly. Here are some tips and the records you need to show you're handling physical access in your organization.
Recommendations:
List of access devices: Make a list of all the things that open doors in your building, like keys and card readers. Write down who has each one and what doors or areas they can open.
Keep your access list updated: Always check and update who can use these access tools, especially when someone's job changes or if they leave the company. This is part of following the rules in PS.L2-3.9.2 – PERSONNEL ACTIONS and PS.L2-3.9.1 – SCREEN INDIVIDUALS.
Evidence:
Record of devices and who can use them: Have a list that's always up to date with all the keys and card readers, and who's allowed to use them. This list should also say which parts of your building they can get into.
PE.L2-3.10.2 – MONITOR FACILITY
“Protect and monitor the physical facility and support infrastructure for organizational systems.”
Level Of Effort: High
This control is about making sure the location of your company's systems is safe and watched over. It means keeping an eye out for anyone who shouldn't be there and making sure things like wires and power lines are not messed with. This can be done with guards, cameras, and sensors.
Recommendations:
Set up security cameras: Use cameras to watch entrances and exits, and places like the manufacturing floor where CUI might be.
Put in alarm systems: Place alarms at entry and exit points, and in areas where there’s CUI. Don’t forget to update the alarm codes when someone leaves the company, as part of the process in PS.L2-3.9.2 – PERSONNEL ACTIONS.
Evidence:
For security cameras: Keep your SSP updated with camera details and save the recorded footage.
For alarm systems:
Update your SSP with alarm information.
Keep logs from the alarm system.
Have records that show you changed alarm codes when needed.
PE.L2-3.10.6 – ALTERNATIVE WORK SITES
“Enforce safeguarding measures for CUI at alternate work sites (e.g., telework sites).”
Level Of Effort: High
Protecting CUI is crucial, whether it's at the main office, a remote location, or a home office. This involves creating rules and using tools to ensure that the information stays safe and private, no matter where your team works. Here are steps to achieve this, along with the evidence you need to show that you're keeping CUI secure, wherever it's accessed.
Recommendations:
Rules for handling paper CUI: Most businesses decide not to allow the printing of CUI in remote workplaces. If printing is necessary, have clear instructions for locking up the printed materials and shredding them when not needed anymore.
Guidelines for physical security: Tell your team that they should work in spaces that can be locked when they're not there. Also, computers should be secured with a physical theft-deterrent cable.
Computer security measures: Most companies don’t allow CUI to be accessed on personal computers. The best way is to block it, often done using Conditional Access policies in Microsoft 365.
Network security protocols: Use an always-on Virtual Private Network (VPN) or Secure Access Service Edge (SASE) to keep internet connections encrypted. Check with your I.T. person on the best options here.
Evidence:
For handling paper CUI: Have an inspection report of the remote work site and update your SSP with these rules.
For physical security measures: Similarly, keep an inspection report of the remote site and update the SSP.
For computer security: Save screenshots of the Conditional Access policies in place and keep audit logs from Microsoft 365. Also, update the SSP with this information.
For network security: Keep screenshots of the VPN/SASE settings and logs of their use, along with updated information in the SSP.
