By Keiter CPAs
Note: Important Change as of November 2021
The Department of Defense announced a major overhaul to the Cybersecurity Maturity Model Certification (CMMC) program. No new contracts will feature CMMC compliance requirements until the Department completes its rulemaking process for CMMC 2.0. Read our summary of the changes, Goodbye CMMC 1.0, Hello CMMC 2.0. For more detailed information, visit the CMMC website.
Keiter’s Cybersecurity team will continue to monitor the rollout of the CMMC program and update you on new information and changing requirements for DoD contractors.
Editor’s note: This article is one of a series of articles about the CMMC Maturity Level (ML) 1 Practices. In these articles we dive in to the CMMC Practice Guides and provide our thoughts about the practices and what contractors should consider. The CMMC ecosystem is still developing, and as those developments occur, we will update these articles accordingly. As such, we hope that these articles represent an evergreen CMMC ML-1 resource.
|Practice Number: PE.1.131|
|Practice: Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.|
|[a] authorized individuals allowed physical access are identified;|
|[b] physical access to organizational systems is limited to authorized individuals;|
|[c] physical access to equipment is limited to authorized individuals; and|
|[d] physical access to operating environments is limited to authorized individuals.|
Overview of PE.1.131
Practice PE.1.31 is primarily concerned with ensuring that Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) data are protected through physical means [b, c, d], and that physical access to data is restricted to authorized individuals to include employees, vendors, and visitors who should have access to it [a].
Practice Scoping: Identification of Physical Spaces and Devices
To ensure your organization complies with this practice, your organization must identify the physical assets which are in scope. Only once the physical assets are identified will an organization be able to document how those assets are protected. The practice identifies three types of assets that require physical protections.
Organizational systems are data repositories and programs which process data [b].
- Examples include applications, databases, cloud platforms, and SaaS (software as a service).
Equipment includes physical devices that process or store data [c].
- Examples include servers, laptops, fax machines, and other IT devices.
Operating environments are spaces where data are processed or stored [d].
- Examples include server rooms, laboratories, networking closets, and production floors.
Although the CMMC standard identifies the three classes of physical assets, we do not recommend organizations ruminate too extensively trying to force an asset into a category. The categories are identified to show the types of assets that are in scope for the practice, rather than to create an administrative burden trying to classify every physical device into one of three categories.
Identifying Access Granted to Authorized Individuals
Having determined where FCI/CUI is physically stored, your organization will then need to identify the employees, vendors, and visitors with access to the organizational systems, equipment, and environments that hold the data [a].
There are multiple types of reports which can be useful during this part of the process. If your organization has an office building, a building manager or other appropriate staff should consider keeping an inventory of physical access to different parts of the building. This can include reports from badging or PIN systems or key inventories.
For example, a badging system configured to limit access to a server room (operating environment) should be able to generate a list of all badges issued that would permit physical entry to the server room and to whom they were issued.
|Not to be confused with...|
|The CMMC contains many practices and assessment objectives that are easily conflated, and this is no exception.
Assessment Objective [a] in practice PE.1.134 deals with identification of physical access devices, issued and unissued, that would enable a user to have physical access.
However, Assessment Objective [a] of this practice, PE.1.131, requires the identification of the individuals who should have access to organizational systems, equipment, and operating environments.
The key distinction: what physical access they should have (PE.1.134) versus what they do have.
Methods to Limit Physical Access
Management should also understand and document the ways in which access to organization systems, equipment, and operational environments is restricted. There are many examples that can satisfy the requirement, including:
- Storing FCI/CUI documents in a separate wing of the building that is restricted by a badging system.
- Requiring employees to enter a PIN to gain access to the building.
- Using security guards or video cameras to monitor individuals that access the facility.
- Training employees to not allow tailgaters to follow authorized individuals into the building.
All CMMC practices, including PE.1.131, are applicable wherever the FCI/CUI lives, whether it is in a system or facility that is controlled by the contractor/subcontractor or a subservice provider.
Accordingly, CMMC assessors will need to see how the practices your organization have inherited from your External Service Providers (ESP) have been implemented. To avoid needing to separately assess their ESPs, most organizations will opt to use ESPs that already have certifications, such as CMMC and FedRamp, that grant reciprocity over the related practice.
This practice is fairly straight-forward. Organizations should consider the types of data being stored and verify that the people who access or store the data should have access to it. If your organization retains appropriate records which demonstrate that FCI and CUI are being stored and processed using physical security methods, and that only authorized individuals can physically access the data, your organization shouldn’t have trouble passing this practice.
About the Author
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.